{"id":55021,"date":"2024-01-10T14:23:54","date_gmt":"2024-01-10T14:23:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35385\/Babuk-Tortilla-Ransomware-Decrypted-After-Hackers-Arrest.html"},"modified":"2024-01-10T14:23:54","modified_gmt":"2024-01-10T14:23:54","slug":"babuk-tortilla-ransomware-decrypted-after-hackers-arrest","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/","title":{"rendered":"Babuk Tortilla Ransomware Decrypted After Hacker&#8217;s Arrest"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2023\/08\/GilDabahCol-e1704835108226.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>The decryption key for the Babuk ransomware variant that targeted the ProxyShell vulnerabilities in Microsoft Exchange is publicly available following its creator\u2019s arrest.<\/p>\n<p>Babuk Tortilla is a version of the original Babuk ransomware that emerged after the Babuk source code was leaked in September 2021. A ProxyShell exploitation campaign to deploy Babuk Tortilla on vulnerable Microsoft Exchange servers <a href=\"https:\/\/blog.talosintelligence.com\/babuk-exploits-exchange\/\" target=\"_blank\" rel=\"noreferrer noopener\">was discovered on Oct. 12, 2021<\/a>, by researchers at Cisco Talos.<\/p>\n<p>Talos teamed up with Dutch police and prosecutors in Amsterdam in a criminal investigation that led to the identification and arrest of the threat actor behind Babuk Tortilla, the Cisco\u2019s threat intelligence team revealed <a href=\"https:\/\/blog.talosintelligence.com\/decryptor-babuk-tortilla\/\" target=\"_blank\" rel=\"noreferrer noopener\">in a blog post Tuesday<\/a>.<\/p>\n<p>During the investigation, police retrieved and provided Talos with the executable code used by the threat actor to decode files encrypted by the Tortilla variant.<\/p>\n<p>\u201cThey felt our technical expertise is a guarantee that we can successfully analyse and publish the decryptor code in a format that can be safely used by potentially affected users,\u201d Vanja Svajcer, outreach researcher at Cisco Talos, told SC Media.<\/p>\n<p>Talos extracted the private decryption key from this code and shared it with Avast Threat Labs, which included the key in its universal Avast Babuk decryptor.<\/p>\n<p>The decryptor is freely available for victims of several Babuk ransomware variants to download from <a href=\"https:\/\/www.avast.com\/ransomware-decryption-tools#babuk\" target=\"_blank\" rel=\"noreferrer noopener\">the Avast website<\/a> or the <a href=\"https:\/\/www.nomoreransom.org\/en\/decryption-tools.html\" target=\"_blank\" rel=\"noreferrer noopener\">NoMoreRansom project<\/a> and recover their files.<\/p>\n<h2>Babuk Tortilla used the same public\/private key pair for all of its victims<\/h2>\n<p>The new ransomware decryption tool is especially useful because it can be used universally by all victims of the Babuk Tortilla campaign. This is because the threat actor never bothered to generate new public\/private key pairs for each victim, instead using only one key pair throughout the campaign.<\/p>\n<p>Fourteen Babuk decryption keys were previously recovered from a ZIP file shared by the source code leaker on a Russian-language hacking forum, <a href=\"https:\/\/decoded.avast.io\/threatresearch\/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police\/\" target=\"_blank\" rel=\"noreferrer noopener\">Avast noted in a blog post<\/a>. These keys are included along with the new Tortilla key in Avast\u2019s universal Babuk ransomware decryptor.<\/p>\n<p>\u201cAfter brief examination of the provided sample (originally named tortilla.exe), we found out that the encryption schema had not changed since we analyzed Babuk samples 2 years ago,\u201d the Avast Threat Research Team wrote. \u201cThe process of extending the decryptor was therefore straightforward.\u201d<\/p>\n<p>The Talos team said extracting the decryption key from the original executable was important to enable its inclusion in the all-in-one Avast solution and avoid spreading untrusted code created by the threat actor.<\/p>\n<p>Additionally, the original decryption process used by Tortilla was slow and inefficient compared to the Avast tool, the researchers said.<\/p>\n<h2>Ransomware campaign targeted ProxyShell, SolarWinds, Atlassian vulnerabilities<\/h2>\n<p>The Babuk ransomware is notorious for its use in the <a href=\"https:\/\/www.scmagazine.com\/brief\/ransomware-gang-publishes-files-stolen-from-d-c-police-department-2\" target=\"_blank\" rel=\"noreferrer noopener\">Washington Metropolitan Police Department data breach<\/a>, as well as targeted attacks against healthcare, manufacturing and other critical infrastructure sectors.<\/p>\n<p>Multiple Babuk variants have popped up following the source code leak, leveraged by threat actors including Pandora, Nokoyawa and, most recently, RA Group, <a href=\"https:\/\/blog.talosintelligence.com\/ra-group-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">according to Talos research<\/a>.<\/p>\n<p>The Tortilla threat actor, named after payload file names used in their campaign, was active since July 2021 and was first spotted attacking vulnerable Microsoft Exchange servers with Babuk in October 2021.<\/p>\n<p>Cisco Talos analyzed the threat after it was detected in telemetry data from Cisco Secure products and found it primarily focused on exploiting ProxyShell.<\/p>\n<p>ProxyShell is a chain of three vulnerabilities (tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-34473\" data-type=\"link\" data-id=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-34473\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-34473,<\/a> <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-34523\" data-type=\"link\" data-id=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-34523\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-34523<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-31207\" data-type=\"link\" data-id=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-31207\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-31207<\/a>) that enable unauthenticated attackers to achieve administrator access and remote code execution on unpatched Microsoft Exchange servers.<\/p>\n<p>Discovered in April 2021, the bugs were quickly <a href=\"https:\/\/www.scmagazine.com\/analysis\/security-researchers-seeing-mass-exploitation-of-exchange-servers-using-proxyshell\" target=\"_blank\" rel=\"noreferrer noopener\">subjected to \u201cmass exploitation,\u201d <\/a>with ProxyShell attacks persisting well into 2023, <a href=\"https:\/\/www.scmagazine.com\/native\/time-keeps-on-slippin-slippin-slippin-the-2023-active-adversary-report-for-tech-leaders\" target=\"_blank\" rel=\"noreferrer noopener\">according to Sophos\u2019 2023 Active Adversary Report for Tech Leaders<\/a>.<\/p>\n<p>Talos also detected attempts by Tortilla to exploit other vulnerabilities in common business software, including Atlassian Confluence, Apache Struts, Oracle WebLogic, WordPress, Liferay and SolarWinds Orion (using <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-10148\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2020-10148<\/a>, the same vulnerability believed to be used in the major 2020 SolarWinds hack).<\/p>\n<p>The threat researchers note the Babuk Tortilla ransomware variant uses a novel infection chain in which an intermediate unpacking module is downloaded from a PasteBin clone in order to decrypt and inject the final ransomware payload.<\/p>\n<p>The ransomware encrypts files with a combination of AES-256-CTR and the ChaCha8 cipher and creates a text file with a ransom note demanding the equivalent of $10,000 USD in the cryptocurrency Monero in exchange for the decryption key.<\/p>\n<p>Files encrypted by Babuk ransomware bear the file extensions .babuk, .babyk or .doydo, according to Avast.<\/p>\n<h2>Threat actor arrested in the Netherlands<\/h2>\n<p>Dutch National Police in Amsterdam apprehended the threat actor behind the Babuk Tortilla campaign based on intelligence provided by Talos, according to the threat researchers\u2019 blog post. The threat actor was also prosecuted by the Netherlands Public Prosecution Service.<\/p>\n<p>Few details are available about the criminal case or suspect are available, including the date of the arrest, the charges filed and whether the suspect was convicted. Cisco Talos declined to disclose these details, directing SC Media to contact Dutch Police. The Dutch National Police did not respond to requests for further information by the time of publishing.<\/p>\n<p>Dutch police previously worked with cybersecurity experts and international partners to <a href=\"https:\/\/www.politie.nl\/nieuws\/2022\/oktober\/14\/09-nederlandse-gedupeerde-geholpen-in-unieke-ransomware-actie.html\" target=\"_blank\" rel=\"noreferrer noopener\">recover more than 150 decryption keys for Deadbolt ransomware<\/a> in 2022. In that case, police used a strategy suggested by cybersecurity company Resonders.NU, which involved paying Bitcoin ransoms, receiving decryption keys, and then withdrawing the Bitcoin payments.<\/p>\n<p>Svajcer warned that the arrest of the Babuk Tortilla threat actor and release of the decryption key does not mean the Babuk malware family is done causing trouble.<\/p>\n<p>\u201cBabuk source code leaked in 2021 and it is quite a stable code covering different platforms such as Windows and VMWare ESXi,\u201d Svajcer told SC Media. \u201cSince the Babuk source code is easily obtainable in underground forums we can expect to see more attacks based on it by new and existing ransomware actors in 2024.\u201d<\/p>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35385\/Babuk-Tortilla-Ransomware-Decrypted-After-Hackers-Arrest.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55022,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[10817],"class_list":["post-55021","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackermalwaredata-losspasswordcryptography"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Babuk Tortilla Ransomware Decrypted After Hacker&#039;s Arrest 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Babuk Tortilla Ransomware Decrypted After Hacker&#039;s Arrest 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-10T14:23:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2023\/08\/GilDabahCol-e1704835108226.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Babuk Tortilla Ransomware Decrypted After Hacker&#8217;s Arrest\",\"datePublished\":\"2024-01-10T14:23:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/\"},\"wordCount\":977,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg\",\"keywords\":[\"headline,hacker,malware,data loss,password,cryptography\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/\",\"name\":\"Babuk Tortilla Ransomware Decrypted After Hacker's Arrest 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg\",\"datePublished\":\"2024-01-10T14:23:54+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg\",\"width\":800,\"height\":449},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware,data loss,password,cryptography\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalwaredata-losspasswordcryptography\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Babuk Tortilla Ransomware Decrypted After Hacker&#8217;s Arrest\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Babuk Tortilla Ransomware Decrypted After Hacker's Arrest 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/","og_locale":"en_US","og_type":"article","og_title":"Babuk Tortilla Ransomware Decrypted After Hacker's Arrest 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-01-10T14:23:54+00:00","og_image":[{"url":"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2023\/08\/GilDabahCol-e1704835108226.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Babuk Tortilla Ransomware Decrypted After Hacker&#8217;s Arrest","datePublished":"2024-01-10T14:23:54+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/"},"wordCount":977,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg","keywords":["headline,hacker,malware,data loss,password,cryptography"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/","url":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/","name":"Babuk Tortilla Ransomware Decrypted After Hacker's Arrest 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg","datePublished":"2024-01-10T14:23:54+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest.jpg","width":800,"height":449},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/babuk-tortilla-ransomware-decrypted-after-hackers-arrest\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware,data loss,password,cryptography","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalwaredata-losspasswordcryptography\/"},{"@type":"ListItem","position":3,"name":"Babuk Tortilla Ransomware Decrypted After Hacker&#8217;s Arrest"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55021"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55021\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55022"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}