34.Key AbstractDigital

A new decryptor has been created for Babuk Tortilla ransomware victims, which will be included in a generic Babuk Decryptor that will contain all Babuk keys currently available. Let's examine the threat that Babuk ransomware poses to your systems and how to recover encrypted files should you fall victim to an attack.

Babuk Ransomware Versions to Be Aware Of

Babuk ransomware was first discovered in 2021 and has been responsible for multiple high-profile attacks against industries such as manufacturing or law enforcement.

The ransomware is a highly sophisticated strain, compiled on several hardware and software platforms. Windows and ARM Linux are the most common versions.

Cyber Security 3410923  340 Esm W493Babuk can also interrupt the backup process of the victim's system and delete volume shadow copies. This makes recovery even more difficult.

In September 2021, Babuk's code was published on an underground forum. This allowed multiple threat actors to create variations of strain.

Security researchers have identified ransomware families that have exploited Babuk:

  • Rook – December 2021
  • Night Sky - Jan 2022
  • Pandora - March 2022
  • Nokoyawa Cheerscrypt - May 2022
  • AstraLocker 2.0 - June 2022
  • ESXiArgs February 2023
  • Rorschach RTM Locker RA Group - April 2023

Tortilla was one of the threat actors responsible for Babuk ransomware attacks. In October 2021, Tortilla was observed targeting Microsoft Exchange servers that were vulnerable and trying to exploit ProxyShell to install the Babuk ransomware.

In a later law enforcement investigation, Dutch Police were able to apprehend and discover the person behind Tortilla.

The Tortilla decryptor key was recovered and has been added to a generic decryptor developed for a number of other Babuk variants.

This decryptor results from the Babuk generator and leaked source code. Tortilla used one key pair for all of its victims, while attackers could generate different public/private keys per campaign.

How Can I Recover Encrypted Files if I Fall Victim to Babuk Ransomware?

The updated version of Babuk can be downloaded from the NoMoreRansom or Avast decryptors pages.

This decryptor allows users to recover files quickly.

Recently, a number of decryptors were released to assist victims of ransomware.

Security Research Labs has published tools enabling the recovery of files encrypted by Black Basta Ransomware. The FBI, in response to law enforcement actions, announced in December 2023 that it had developed a decryption program for the notorious BlackCat Group.

Here are our top tips for preventing Linux ransomware attacks in the first place: 

  • Backup critical files and diversify the storage media to avoid a single point of failure (SPOF). This won’t prevent an attack but can mitigate potential damage.
  • Keep servers and endpoints up to date to ensure that they use the latest security patches.
  • Implement the principle of least privilege for user accounts.
  • Monitor network activity and system logs closely.
  • Keep tabs on event logs to identify anomalous behavior before it causes harm.
  • Use a combination of IP filtering, an intrusion detection system (IDS), and an intrusion prevention system (IPS).
  • Use Linux security extensions that control and restrict access to data or network resources.
  • Implement robust network segmentation and data compartmentalization to minimize the impact of a potential ransomware attack.
  • Audit systems regularly.

Have additional questions on the measures you can take to prevent or recover from Linux ransomware attacks? Please reach out to us on X @lnxsec- we're here to help!

Stay safe out there, fellow Linux users!