Keypoints
- Avast released an updated Babuk decryptor capable of decrypting files encrypted by the Tortilla variant.
- The decryptor update was developed in cooperation with Cisco Talos and the Dutch Police and is free to use.
- Babuk source code was leaked in September 2021 and included ECDH-25519 private keys used for decryption.
- Cisco Talos found Tortilla uses a single private key for all victims, enabling one decryptor to restore multiple victims’ files.
- Victims can identify Tortilla infections by the .babyk file extension and the dropped ransom note “How To Restore Your Files.txt”.
- The Avast decryptor is downloadable from files.avast.com and is available via the NoMoreRansom project.
- Known IOC: hash bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 (tortilla.exe).
MITRE Techniques
- [T1588.001] Acquire Capabilities – Attackers built a functional Babuk/Tortilla encryptor from leaked source code, enabling reuse: [‘The Babuk encryptor was likely created from the leaked sources using the build tool.’]
- [T1486] Data Encrypted for Impact – The malware performs file encryption (adds the .babyk extension) and drops a ransom note to each directory to demand payment: [‘Files encrypted by the ransomware have the .babyk extension’ and ‘The ransom note file is called How To Restore Your Files.txt’].
Indicators of Compromise
- [File hash] Tortilla sample – bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 (tortilla.exe)
- [File names / extensions] Encrypted files and ransom note – .babyk extension, How To Restore Your Files.txt
- [Download URL / Domain] Decryptor and researcher pages – https://files.avast.com/files/decryptor/avast_decryptor_babuk.exe, https://decoded.avast.io (Avast Threat Labs)
Avast updated its Babuk decryptor to support the Tortilla variant after analyzing a sample (originally named tortilla.exe). Examination confirmed the encryption scheme follows the leaked Babuk implementation and relies on ECDH-25519 keys included in the leaked ZIP; those keys enable decryption when available. Cisco Talos reported that Tortilla builds use a single private key for all victims, which means a decryptor that incorporates that key can recover files across the campaign.
Technically, infected files are identifiable by the .babyk extension and the per-directory ransom note named “How To Restore Your Files.txt”. Recovery steps for affected systems are to verify the infection indicators, obtain the official Avast Babuk Decryptor, and run it according to Avast’s instructions; the tool is also accessible via NoMoreRansom. The decryptor binary is hosted at files.avast.com and was developed with input from Cisco Talos and Dutch law enforcement to ensure compatibility with Tortilla-encrypted data.
For forensic and remediation, retain samples (for example tortilla.exe) and file samples showing the .babyk extension, collect the ransom notes, and provide any binaries or hashes to responders. Using the provided decryptor is possible because of the leaked ECDH-25519 keys and the single-key usage pattern reported by Talos; victims should not pay and should follow incident-response guidance while preserving evidence for law enforcement.