Cisco Talos [1] [2] [3] [4], in collaboration with Dutch law enforcement and Avast [3], has obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant [1]. This development is significant in the fight against Babuk ransomware and its various iterations.


The Babuk ransomware is a sophisticated strain that specifically targets industries such as manufacturing and law enforcement [4]. It is known for its ability to encrypt victims’ machines and disrupt the system backup process. In September 2021 [4], the source code for Babuk was leaked [4], leading to the emergence of different variations created by various threat actors.

One of these actors [4], known as Tortilla [4], was observed targeting vulnerable Microsoft Exchange servers and deploying the Babuk ransomware using the ProxyShell vulnerability [4]. However, thanks to the intelligence provided by Talos [3], the Dutch Police were able to identify and apprehend the threat actor behind Babuk Tortilla operations [2].

As part of their collaboration, Talos shared the private decryption key used by the threat actor with Avast [1]. Avast then incorporated this key into their Babuk decryptor, which was released in 2021. This decryptor includes all known private keys [1] [2], enabling affected businesses to recover their files encrypted by different Babuk ransomware variants [1] [2] [3].

To ensure the security of production environments, Avast made the decision to extract the private key from the Tortilla decryptor and add it to the list of keys supported by their Babuk decryptor. This approach avoids sharing any potentially untrusted executable code created by Tortilla.


The collaboration between Cisco Talos, Dutch law enforcement [1] [2] [3] [4], and Avast has resulted in a significant breakthrough in the fight against the Babuk Tortilla ransomware variant. The decryption key obtained from the threat actor has been incorporated into Avast’s decryptor, providing affected businesses with a means to recover their encrypted files.

This development not only aids in the recovery process but also helps in identifying and apprehending the threat actors behind Babuk Tortilla operations. It highlights the importance of collaboration between cybersecurity organizations and law enforcement agencies in combating sophisticated ransomware attacks.

Moving forward, it is crucial for users impacted by Tortilla ransomware attacks to download the updated decryptor from Avast or the NoMoreRansomware project [2]. This will ensure the most effective mitigation against Babuk ransomware and its variants, safeguarding against potential future attacks.