On January 9, 2024, Cisco Talos announced the release of a decryption tool for files infected by the Tortilla variant of the Babuk ransomware. In September 2021, the leak of the ransomware’s original source code had allowed Avast to develop several decryption keys, a few months only after Babuk’s beginnings. Cisco Talos added its new tool to this decryption database.
Cybercriminals, often having nothing to do with the Russian-speaking Babuk group, used the source code to create their own ransomware. Tortilla was likely the most popular of Babuk variants.
Cisco Talos experts thus managed to extract a decryption key from the new ransomware, although they provided no further details. Their investigation also led to the identification and arrest by local authorities of Tortilla’s developer, a young Dutch cybercriminal.
In November 2023, a Dutch court had sentenced another young Dutch cybercriminal, arrested in January 2023, to three years prison and a year of probation. Responsible for several ransomware attacks, he had used Tortilla. The two cases could be linked, although this is not officially established in Cisco Talos’ announcement.