Ransomware - Tortilla

Tortilla
Aliases
Babuk Tortilla
Kaido
Decryptor Available
Yes
Description

Cisco Talos first reported on Tortilla, or Babuk Tortilla as they call it. The reason it's called Babuk Tortilla is obvious and logical - it uses the leaked Babuk source code for the final encryptor payload, and the loader used to deliver the final payload is named "tortilla.exe." Hence the name Babuk Tortilla. The story they first reported fizzled until, randomly, a little over three years later, they posted again on this ransomware and its threat actors. It was good news this time: the threat actor behind the attacks was arrested in The Netherlands, and Avast released an accompanying decryptor for any possible victims. It was an unexpected win for the good guys.

Since the encryptor is Babuk, the encryption mechanisms followed suit. The victim's files are encrypted with AES-256-CTR combined with ChaCha8. Also similar to Babuk, the file extension appended to encrypted files is ".babyk." As with almost all crypto-ransomware, the final payload also drops a ransom note providing instructions on possible payment for a decryption key. This ransom note here is named "How To Restore your Files.txt." The instructions within tell victims to contact one of two emails, which are listed below. We're unaware of any specific victims of this ransomware, but according to Cisco Talos, the individual disseminating these attacks indiscriminately targeted organizations. They analyzed DNS requests to the domains hosting the payloads. They discovered they came from users in Brazil, Germany, Finland, Honduras, Thailand, Ukraine, the U.K., and most predominately in the U.S.

Ransom note derived from Cisco Talos.

Ransomware Type
Crypto-Ransomware
Country of Origin
Netherlands
First Seen
Last Seen
Lineage
Extortion Types
Direct Extortion
Extortion Amounts
Amount
$10,000
Communication
Médio
Identificador
Encryption
Type
Hybrid
Files
AES-256-CTR
Additional Encryption
ChaCha8
Crypto Wallets
Blockchain Type
Crypto Wallet
XMR
46zdZVRjm9XJhdjpipwtYDY51NKbD74bfEffxmbqPjwH6efTYrtvbU5Et4AKCre9MeiqtiR51Lvg2X8dXv1tP7nxLaEHKKQ
File Extension
<file name>.<file extension>.babyk
Ransom Note Name
How To Restore your Files.txt
Ransom Note Image
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235
08d799cc27063bc7969ae935ca171b518d0b41b1feaa9775bae06bd319291b41
0994c1fc7f66f88eead2091f31a2137f69d08c3cf9ee0f4a15a842f54253c9d9
1d28c4c85e241efbbe326051999b9a8e1d8eeb9a3322da5cb9a93c31c65bbb49
5f35dbf807c844c790b9cffc9f83eca05d32f58b737ba638c9567b8d22119f96
bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49