Babuk Tortilla ransomware dealt major blow with release of new decryptor – here’s how victims can recover their data
A decryptor for Babuk Tortilla ransomware has been released following a sting operation by Dutch police with the help of Cisco Talos, offering a vital lifeline for victims


A decryptor for the Babuk Tortilla ransomware variant has been made available by Cisco Talos following a police sting operation which saw a threat actor apprehended in Amsterdam.
Cisco Talos collaborated with Dutch police to identify and apprehend a threat actor involved in cyber attacks using the ransomware variant, authorities said.
In an announcement this week, Cisco Talos researcher Vanja Svajcer said authorities recovered executable code capable of decrypting files affected by Babuk Tortilla ransomware, from which researchers were able to extract and publish the private decryption key used by the hackers.
Talos has shared the key with Avast Threat labs who maintain a decryptor that can recover data encrypted using a number of different strains of the Babuk ransomware.
Avast Threat Labs’ decryptor was originally released in 2021, after the initial disclosure of the Babuk ransomware family and includes all of the known private keys involved in attacks using variants of the malware.
Avast’s Threat Research Team revealed its efforts were made easier by the fact that a single private key was used for all victims of the threat actor, meaning those affected can use the service easily.
Avast’s Babuk decryptor tool is available for free, as are similar tools made to recover files encrypted using a number of different ransomware groups.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Victims unsure of the specific strain of ransomware they have been targeted with can also use free resources such as the NoMoreRansom project, which boasts the largest collection of ransomware decryption tools as well as the ability to identify ransomware strains based on user-uploaded sample files.
Babuk group, from ethical hackers to targeting government agencies
The Babuk group first emerged in 2021. Early signs suggested the group had non malicious intentions, with their focus on revealing security failings in corporate networks.
But this was quickly shown to be false when the group received global media attention after leaking data exfiltrated in an attack on the Washington DC police department in Washington DC.
Other notable targets of the ransomware gang include the Houston Rockets basketball team, with the group threatening to leak 500GB of stolen data if it did not receive payment.
The group also drew headlines when it claimed it would no longer encrypt data it had stolen, opting in favor of a more streamlined approach to extracting ransoms using the threat of leaking data instead.
RELATED RESOURCE
Discover how Maas360 capabilities support more user- and security-centric unified endpoint management
DOWNLOAD NOW
For a moment it looked like the group was going to cease operations after it announced via a post on the dark web that the ransomware’s source code would be made publicly available, which was seized upon by threat researchers to build decryptor tools.
This decision was speculated to be the result of an internal conflict on whether the group should publish all of its stolen data, and risk increased attention from law enforcement agencies.
The Tortilla strain was disclosed by Talos in an exploit involving Microsoft Exchange vulnerabilities in November 2023.
The ransomware was known for its ability to compromise Windows and NAS environments, including ESXi environments, which are a primary component of the infrastructure underpinning VMware’s software suite.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
AI is helping bad bots take over the internet
News Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
By Bobby Hellard
-
Two years on from its Series B round, Hack the Box is targeting further growth
News Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
By Ross Kelly
-
Cisco claims new smart switches provide next-level perimeter defense
News Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
By Solomon Klappholz
-
Cisco is jailbreaking AI models so you don’t have to worry about it
News Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
By Solomon Klappholz
-
Cisco dispels Kraken data breach claims, insists stolen data came from old attack
News Cisco has refuted claims it has suffered a data breach after the Kraken threat group posted stolen data online.
By Solomon Klappholz
-
Cisco patches critical flaws in Identity Services Engine
News Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
By Nicole Kobie
-
Your office is now absolutely riddled with surveillance equipment
News While workplace monitoring is shown to have a detrimental effect on morale, many firms are still charging ahead
By Nicole Kobie
-
Cisco confirms attackers stole data, shuts down access to compromised DevHub environment
News The tech giant insists that no sensitive customer information has been compromised
By Solomon Klappholz
-
Cisco confirms investigation amid data breach claims
News The networking giant says its probe is ongoing amid claims a threat actors accessed company data
By Nicole Kobie
-
Rubrik partners with Cisco to bolster cyber resilience
News Rubrik now integrates with Cisco XDR and is listed on the connectivity giant’s SolutionsPlus program
By Daniel Todd