Cisco Talos first reported on Tortilla, or Babuk Tortilla as they call it. The reason it's called Babuk Tortilla is obvious and logical - it uses the leaked Babuk source code for the final encryptor payload, and the loader used to deliver the final payload is named "tortilla.exe." Hence the name Babuk Tortilla. The story they first reported fizzled until, randomly, a little over three years later, they posted again on this ransomware and its threat actors. It was good news this time: the threat actor behind the attacks was arrested in The Netherlands, and Avast released an accompanying decryptor for any possible victims. It was an unexpected win for the good guys.
Since the encryptor is Babuk, the encryption mechanisms followed suit. The victim's files are encrypted with AES-256-CTR combined with ChaCha8. Also similar to Babuk, the file extension appended to encrypted files is ".babyk." As with almost all crypto-ransomware, the final payload also drops a ransom note providing instructions on possible payment for a decryption key. This ransom note here is named "How To Restore your Files.txt." The instructions within tell victims to contact one of two emails, which are listed below. We're unaware of any specific victims of this ransomware, but according to Cisco Talos, the individual disseminating these attacks indiscriminately targeted organizations. They analyzed DNS requests to the domains hosting the payloads. They discovered they came from users in Brazil, Germany, Finland, Honduras, Thailand, Ukraine, the U.K., and most predominately in the U.S.
Ransom note derived from Cisco Talos.