TLDR:
A decryptor has been released by Cisco Talos for the Tortilla variant of the Babuk ransomware, allowing victims to regain access to their files. This comes after the cybersecurity firm shared threat intelligence with Dutch law enforcement that led to the arrest of the threat actor behind the operations. The decryption key has also been shared with Avast, which had previously released a decryptor for Babuk ransomware. German cybersecurity firm Security Research Labs (SRLabs) has also released a decryptor for Black Basta ransomware that takes advantage of a cryptographic weakness to recover files either partially or fully.
Summary:
A decryptor has been released for the Tortilla variant of the Babuk ransomware, allowing victims targeted by the malware to regain access to their files. The cybersecurity firm, Cisco Talos, shared the threat intelligence they gathered with Dutch law enforcement authorities, which resulted in the arrest of the threat actor behind the operations.
Avast, which had previously released a decryptor for the Babuk ransomware after its source code was leaked in September 2021, has been shared the encryption key. Avast noted that “a single private key is used for all victims of the Tortilla threat actor,” making the update to the decryptor especially useful for all victims of the campaign.
The Tortilla campaign was first disclosed by Talos in November 2021 and involves the ransomware being dropped within victim environments by exploiting ProxyShell flaws in Microsoft Exchange servers. The Tortilla ransomware, along with other variants such as Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, and RA Group, have based their file-encrypting malware on the leaked Babuk source code.
In addition to the Tortilla decryptor, German cybersecurity firm Security Research Labs (SRLabs) has released a decryptor for Black Basta ransomware. The decryptor, called Black Basta Buster, takes advantage of a cryptographic weakness to recover files either partially or fully. However, the tool no longer works with newer infections as the Black Basta developers have reportedly fixed the issue.