Cisco Talos has released a decryptor for the Tortilla variant of the Babuk ransomware, allowing victims of the malware attack to regain access to their files.
The cybersecurity company said threat intelligence it shared with Dutch law enforcement authorities made it possible to arrest the threat actors behind the operation.
The encryption key has also been shared with Avast, which previously released a decryptor for the Babuk ransomware after the source code was leaked in September 2021.The updated decryptor can be accessed here [EXE file].
“One private key is used for all victims of the Tortilla threat actor,” Avast noted. “This makes the decryptor update particularly useful, as all victims of the campaign can use it to decrypt their files.”
Talos first disclosed the Tortilla campaign in November 2021, an attack that exploited a ProxyShell flaw in Microsoft Exchange servers to deliver ransomware in victim environments.
Tortilla is one of many ransomware variants whose file-encrypting malware is based on leaked Babuk source code. These include Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker and RA Group.
German cybersecurity company Security Research Labs (SRLabs) has released a Black Basta ransomware decryptor called Black Basta Buster, which exploits encryption vulnerabilities to partially or fully recover files.
“The file can be recovered if the 64 encrypted bytes of plaintext are known,” SRLabs said. “Whether a file is fully or partially recoverable depends on the size of the file.”
“Files smaller than 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost, but the rest can be recovered.”
Bleeping Computer reported late last month that Black Basta developers had fixed the issue, preventing the tool from handling newer infections.
