Hackers use ransomware to encrypt victims’ files and render them inaccessible until a ransom is paid. This forces the victims to pay a ransom to regain access to compromised systems and data.
This tactic leads to financial gains for the threat actors. While ransomware attacks can be conducted at scale and threat actors can target individuals, businesses, and organizations.
The Babuk ransomware decryptor has recently received an update from Avast cybersecurity researchers, Cisco Talos, and the Dutch Police to allow for the recovery of files infected with the most recent ransomware variant.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Technical Analysis
Babuk ransomware initially emerged in early 2021, and it is known for the following key things:-
- Targeting Windows systems
- Encrypting files
- Demanding ransom payments in exchange for decryption keys
Besides this, Babuk ransomware has gained immense attention for its Evolving tactics and the sophistication of its attacks.
Since its founding, the Avast security company has blocked over 5600 targeted attacks, the majority of which targeted individuals and organizations in the following nations:
- Brazil
- Czech Republic
- India
- The United States
- Germany
The recently updated Avast Babuk decryption tool can restore the files the Tortilla Babuk variant has encrypted.
Babuk ransomware source code was released in Sept 2021 in the form of a ZIP file on a Russian hacking forum, which included the following 14 victim-specific private keys:-
The cybersecurity analysts affirmed that the decryptor creation was easy as the encryption scheme remained unchanged from their analysis 2 years prior and the sample that the researchers analyzed was named “tortilla.exe.”.
The Babuk encryptor is likely made from leaked sources and uses a single key for Tortilla threat actor victims, as the researchers at Cisco noted.
However, using a single key makes the decryptor update beneficial for the entire campaign.
The updated Avast Decryptor is free to all, and it helps aid the Babuk victims in the Tortilla campaign with a .babyk extension on the encrypted files.
The creators of this ransomware drop the ransom note under the name “How To Restore Your Files.txt” in every directory of the compromised system:
IoCs
- bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 (tortilla.exe)
Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo