{
	"id": "e38c64f6-6c32-4e08-b427-2afb3e13e392",
	"created_at": "2026-04-06T00:10:19.238202Z",
	"updated_at": "2026-04-10T03:24:07.561119Z",
	"deleted_at": null,
	"sha1_hash": "036f1f2ba90ef40ebc5b18b849fbac3337886205",
	"title": "Avast updates Babuk Ransomware Decryptor in cooperation with Cisco Talos and Dutch Police",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 883441,
	"plain_text": "Avast updates Babuk Ransomware Decryptor in cooperation with\r\nCisco Talos and Dutch Police\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 13:43:06 UTC\r\nBabuk, an advanced ransomware strain, was publicly discovered in 2021. Since then, Avast has blocked more than\r\n5,600 targeted attacks, mostly in Brazil, Czech Republic, India, the United States, and Germany.\r\nToday, in cooperation with Cisco Talos and Dutch Police, Avast is releasing an updated version of the Avast Babuk\r\ndecryption tool, capable of restoring files encrypted by the Babuk variant called Tortilla. To download the tool,\r\nclick here.\r\nBabuk attacks blocked by Avast since 2021\r\nBabuk Ransomware Decryptor \r\nIn September 2021, the source code of the Babuk ransomware was released on a Russian-speaking hacking forum.\r\nThe ZIP file also contained 14 private keys (one for each victim). Those keys were ECDH-25519 private keys\r\nneeded for decryption of files encrypted by the Babuk ransomware. \r\nThe Tortilla Campaign \r\nAfter brief examination of the provided sample (originally named tortilla.exe), we found out that the encryption\r\nschema had not changed since we analyzed Babuk samples 2 years ago. The process of extending the decryptor\r\nwas therefore straightforward. \r\nThe Babuk encryptor was likely created from the leaked sources using the build tool. According to Cisco Talos, a\r\nsingle private key is used for all victims of the Tortilla threat actor. This makes the update to the decryptor\r\nespecially useful, as all victims of the campaign can use it to decrypt their files. As with all Avast decryptors, the\r\nBabuk Ransomware Decryptor is available for free. \r\nhttps://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/\r\nPage 1 of 2\n\nBabuk victims can find out whether they were part of the Tortilla campaign by looking at the extension of the\r\nencrypted files and the ransom note file. Files encrypted by the ransomware have the .babyk extension as shown\r\nin the following example:\r\nThe ransom note file is called How To Restore Your Files.txt and is dropped to every directory. This is how the\r\nransom note looks like:\r\nBabuk victims can download the Babuk Decryptor for free:\r\nhttps://files.avast.com/files/decryptor/avast_decryptor_babuk.exe. It is also available within the NoMoreRansom\r\nproject. \r\nWe would like to thank Cisco Talos and the Dutch Police for the cooperation.\r\nIOCs (indicators of compromise) \r\nbd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 (tortilla.exe)\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/\r\nhttps://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/"
	],
	"report_names": [
		"avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police"
	],
	"threat_actors": [
		{
			"id": "8bd26575-9221-47d1-9d8b-5c18354dc1bd",
			"created_at": "2022-10-25T16:07:24.335Z",
			"updated_at": "2026-04-10T02:00:04.94173Z",
			"deleted_at": null,
			"main_name": "Tortilla",
			"aliases": [],
			"source_name": "ETDA:Tortilla",
			"tools": [
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"CHINACHOPPER",
				"China Chopper",
				"SinoChopper",
				"Vasa Locker"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434219,
	"ts_updated_at": 1775791447,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/036f1f2ba90ef40ebc5b18b849fbac3337886205.pdf",
		"text": "https://archive.orkl.eu/036f1f2ba90ef40ebc5b18b849fbac3337886205.txt",
		"img": "https://archive.orkl.eu/036f1f2ba90ef40ebc5b18b849fbac3337886205.jpg"
	}
}