Babuk Tortilla: use of recovery tool & processes

Posted date 23/05/2024
Imagen decorativa del blog

The Babuk ransomware, also known as Babuk Locker, first emerged in early 2021 and quickly gained notoriety for its attack methods and features, primarily targeting healthcare, telecommunications, banking, finance, education, government, and critical infrastructure organizations. A notorious example of its impact was the attack on the health department of a well-known British multinational, from which it demanded a significant ransom to release the affected systems.

Following the operational methods of other ransomware families, Babuk's operators acted by leaking stolen data from some of their victims on the dark web where they had a forum where they published this data. In addition, they advertised on other channels with the aim of getting affiliates and dealing with possible updates to the malware from underground marketplaces.

In September 2021, the leak of the source code of the Babuk ransomware marked the beginning of a new wave of malicious variants, among which ESXiArgs and Babuk Tortilla stood out, causing a significant increase, especially in the United States. For two years, Cisco Talos devoted itself to the in-depth analysis of the Tortilla campaign, an effort that, in collaboration with Dutch authorities, culminated in the arrest of the cybercriminal responsible. This key breakthrough was made possible by shared threat intelligence, evidencing, once again, the importance of cooperation between cybersecurity entities and law enforcement. The investigation revealed that the threat actor used a single private key for file encryption in all of its operations. This finding was shared with the company Avast, which had previously developed a decryptor for older variants of Babuk, which assisted in the creation of an updated version of its decryption tool. Released in January 2024, the new decryptor incorporated all known private keys, offering a unified solution for the recovery of files affected by the various variants of Babuk, including the notorious Tortilla.

Countries infected by Babuk Tortilla

- Countries infected by Babuk Tortilla. Source. -



Babuk Tortilla's initial approach aligned with the Ransomware as a Service (RaaS) model, providing affiliates with a platform to launch extortion attacks against their victims. Over time, however, those responsible for the campaign decided to take a more direct approach to their extortion operations, abandoning the affiliate program.

As part of their extortion strategy, Tortilla operators not only encrypted victims' files, but also resorted to additional tactics to increase pressure on them and secure ransom payments. One of these tactics included posting stolen data on underground forums.

For payments, Tortilla operators preferred Monero over Bitcoin, this preference for a more anonymous cryptocurrency underscores the increasing sophistication of ransomware groups in their efforts to evade detection and tracking by authorities and security researchers.

Infection and spread

Babuk Tortilla employed a number of common attack vectors or techniques, most notably fraudulent emails. These mails were designed to trick users, entice them to click on malicious links or open infected attachments that triggered the malware to be downloaded.

It also exploited vulnerabilities in remote desktop protocols and Windows software or operating systems. These vulnerabilities, when not properly patched, offered cybercriminals a backdoor to infiltrate systems. The typical infection process, observed in the main Babuk Tortilla samples found, began with the exploitation of vulnerabilities known collectively as ProxyShell, which affected Microsoft Exchange servers:

  • CVE-2021-34473: This vulnerability could allow attackers to bypass access control lists (ACLs) through an authentication path confusion that provided unauthorized access to internal server functions.
  • CVE-2021-34523: Once inside the system, this privilege escalation vulnerability allowed the attacker to gain more control over the server, specifically through the Exchange PowerShell backend.
  • CVE-2021-31207: With elevated privileges, the attacker could write arbitrary files to the server, which could lead to remote code execution.

Once the vulnerabilities were exploited to gain access to the system, the threat actor proceeded with the next phase, downloading the malicious files necessary for the execution of the malware, which was usually done through obfuscated commands, executed through PowerShell. The downloaded file (tortilla.exe) acted as a loader for the ransomware and, when executed, made requests to a malicious URL, from where the payload embedded in a file was downloaded, such as an image manipulated to contain the malicious code. Finally, it unpacked the encryptor and began the process of encrypting the files on the infected system.

Babuk Tortilla Execution Diagram

- Babuk Tortilla Execution Diagram. Source. -

Evasion of detection and recovery

To evade detection mechanisms, malware:

  • Enumerate the processes: identify the running processes, analysing them to select those that could interfere with their operation or impede their success. This phase was essential for mapping the operating environment and preparing the ground for subsequent actions.
  • Stopped processes related to backups or file backups, as well as antivirus systems in the environment. This action was intended to remove barriers that could hinder infection or facilitate the recovery of affected files.
  • It listed shared resources within the network, allowing for further spread of ransomware and significantly expanding its impact on the affected organization's infrastructure.
  • It deleted copies of files to ensure that there was no chance of recovery without the payment of the ransom, increasing the pressure on victims to comply with the attackers' demands.
  • It circumvented control mechanisms to facilitate external connections during its execution. The ransomware modified security controls, installing certificates that allowed security warnings to be circumvented when connecting to potentially blocked or blacklisted servers or URLs.


Babuk Tortilla used an AES-256-based encryption scheme combined with ChaCha8 to encrypt the data, which was renamed with the extension '.babyk'.  On the other hand, an ECDH protocol was used for shared keys. The ransomware made use of the AppData directory, where it hosted a '.bin' file containing the local private key used to encrypt system files.

At the same time, the malware created a text file in each of the folders under the title 'How To Restore Your Files.txt' that contained the steps to be followed by the victim to recover their data.

Contents of the ransom note screenshot

- Contents of the ransom note. Source. -

Response & disinfection

As mentioned, Babuk Tortilla exploited the vulnerabilities associated with ProxyShell for remote code execution on Microsoft Exchange servers, so it is essential to implement the product security patches offered by Microsoft for the aforementioned vulnerabilities.

In case you have been infected by any variant of Babuk, including Tortilla, the Avast decryption tool is available. Despite the fact that the decryption processes are not always satisfactory, these decryptors offer the possibility to decrypt the stolen data and recover the files if certain requirements are met.

The decryption process using the Avast decryptor is described below. Please note that there is a difference between v., the only version hosted on the Avast server (replicated on, and the instructions provided in the instruction manual, v.1.0.52). This article describes the procedure following the execution of the available version (v.

  • Once you've downloaded the corresponding version of Avast for Babuk, launch the program. In the first window we have the license information. Click Next:
Decryption process using Avast screenshot

- Decryption process using Avast. -

  • Next, select the drive(s) that contains encrypted data. You can also select a specific directory from "Add Folder ...". Click Next:
Decryption process using Avast screenshot

- Decryption process using Avast. -

  • Once the drives or directories have been selected, in the next window we have the option to make a backup of the encrypted data, in such a way that it will allow us to restart the process in case of any problem:
Decryption process using Avast screenshot

- Decryption process using Avast. -

  • Finally, it will begin the process of decrypting the files that will make them accessible again.


The activity of the Babuk Tortilla ransomware, whose rise alarmed global organizations due to its extortion capabilities by encrypting critical files, was finally interrupted. Evolved from Babuk's source code, it primarily leveraged the exploitation of critical vulnerabilities, such as ProxyShell on Microsoft Exchange servers, and demonstrated the ability of threat actors to infiltrate organizations.

The case of this ransomware reminds us of the need to implement robust preventive measures. Performing regular backups should be prioritized as a fundamental strategy. In addition, the incorporation of monitoring and incident response tools, such as XDR (Extended Detection and Response) solutions, helps in early detection and effective response to malicious activities.

Collaboration between IT teams, a commitment to up-to-date cybersecurity practices, and the implementation of an advanced security infrastructure are critical to mitigate the risk of ransomware and protect critical digital assets, not to mention training and awareness-raising efforts that will help employees avoid falling prey to the social engineering techniques used by cybercriminals to gain initial access to our systems.