The decryption key for the Babuk ransomware variant that targeted the ProxyShell vulnerabilities in Microsoft Exchange is publicly available following its creator’s arrest.
Babuk Tortilla is a version of the original Babuk ransomware that emerged after the Babuk source code was leaked in September 2021. A ProxyShell exploitation campaign to deploy Babuk Tortilla on vulnerable Microsoft Exchange servers was discovered on Oct. 12, 2021, by researchers at Cisco Talos.
Talos teamed up with Dutch police and prosecutors in Amsterdam in a criminal investigation that led to the identification and arrest of the threat actor behind Babuk Tortilla, the Cisco’s threat intelligence team revealed in a blog post Tuesday.
During the investigation, police retrieved and provided Talos with the executable code used by the threat actor to decode files encrypted by the Tortilla variant.
“They felt our technical expertise is a guarantee that we can successfully analyse and publish the decryptor code in a format that can be safely used by potentially affected users,” Vanja Svajcer, outreach researcher at Cisco Talos, told SC Media.
Talos extracted the private decryption key from this code and shared it with Avast Threat Labs, which included the key in its universal Avast Babuk decryptor.
Babuk Tortilla used the same public/private key pair for all of its victims
The new ransomware decryption tool is especially useful because it can be used universally by all victims of the Babuk Tortilla campaign. This is because the threat actor never bothered to generate new public/private key pairs for each victim, instead using only one key pair throughout the campaign.
Fourteen Babuk decryption keys were previously recovered from a ZIP file shared by the source code leaker on a Russian-language hacking forum, Avast noted in a blog post. These keys are included along with the new Tortilla key in Avast’s universal Babuk ransomware decryptor.
“After brief examination of the provided sample (originally named tortilla.exe), we found out that the encryption schema had not changed since we analyzed Babuk samples 2 years ago,” the Avast Threat Research Team wrote. “The process of extending the decryptor was therefore straightforward.”
The Talos team said extracting the decryption key from the original executable was important to enable its inclusion in the all-in-one Avast solution and avoid spreading untrusted code created by the threat actor.
Additionally, the original decryption process used by Tortilla was slow and inefficient compared to the Avast tool, the researchers said.
Ransomware campaign targeted ProxyShell, SolarWinds, Atlassian vulnerabilities
The Babuk ransomware is notorious for its use in the Washington Metropolitan Police Department data breach, as well as targeted attacks against healthcare, manufacturing and other critical infrastructure sectors.
Multiple Babuk variants have popped up following the source code leak, leveraged by threat actors including Pandora, Nokoyawa and, most recently, RA Group, according to Talos research.
The Tortilla threat actor, named after payload file names used in their campaign, was active since July 2021 and was first spotted attacking vulnerable Microsoft Exchange servers with Babuk in October 2021.
Cisco Talos analyzed the threat after it was detected in telemetry data from Cisco Secure products and found it primarily focused on exploiting ProxyShell.
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that enable unauthenticated attackers to achieve administrator access and remote code execution on unpatched Microsoft Exchange servers.
Discovered in April 2021, the bugs were quickly subjected to “mass exploitation,” with ProxyShell attacks persisting well into 2023, according to Sophos’ 2023 Active Adversary Report for Tech Leaders.
Talos also detected attempts by Tortilla to exploit other vulnerabilities in common business software, including Atlassian Confluence, Apache Struts, Oracle WebLogic, WordPress, Liferay and SolarWinds Orion (using CVE-2020-10148, the same vulnerability believed to be used in the major 2020 SolarWinds hack).
The threat researchers note the Babuk Tortilla ransomware variant uses a novel infection chain in which an intermediate unpacking module is downloaded from a PasteBin clone in order to decrypt and inject the final ransomware payload.
The ransomware encrypts files with a combination of AES-256-CTR and the ChaCha8 cipher and creates a text file with a ransom note demanding the equivalent of $10,000 USD in the cryptocurrency Monero in exchange for the decryption key.
Files encrypted by Babuk ransomware bear the file extensions .babuk, .babyk or .doydo, according to Avast.
Threat actor arrested in the Netherlands
Dutch National Police in Amsterdam apprehended the threat actor behind the Babuk Tortilla campaign based on intelligence provided by Talos, according to the threat researchers’ blog post. The threat actor was also prosecuted by the Netherlands Public Prosecution Service.
Few details are available about the criminal case or suspect are available, including the date of the arrest, the charges filed and whether the suspect was convicted. Cisco Talos declined to disclose these details, directing SC Media to contact Dutch Police. The Dutch National Police did not respond to requests for further information by the time of publishing.
Dutch police previously worked with cybersecurity experts and international partners to recover more than 150 decryption keys for Deadbolt ransomware in 2022. In that case, police used a strategy suggested by cybersecurity company Resonders.NU, which involved paying Bitcoin ransoms, receiving decryption keys, and then withdrawing the Bitcoin payments.
Svajcer warned that the arrest of the Babuk Tortilla threat actor and release of the decryption key does not mean the Babuk malware family is done causing trouble.
“Babuk source code leaked in 2021 and it is quite a stable code covering different platforms such as Windows and VMWare ESXi,” Svajcer told SC Media. “Since the Babuk source code is easily obtainable in underground forums we can expect to see more attacks based on it by new and existing ransomware actors in 2024.”