Threat actor exploits MS ProxyShell flaws to deploy Babuk ransomware

ransomware ransomware

BABUK Ransomware

A new threat actor is exploiting ProxyShell flaws in attacks aimed at Microsoft Exchange servers to deploy the Babuk Ransomware in corporate networks.

Talos researchers warn of a new threat actor that is hacking Microsoft Exchange servers by exploiting ProxyShell flaws to gain access to corporate and deploy the Babuk Ransomware.

Over the past months, other ransomware gangs, including Conti and Lockfile, exploited ProxyShell flaws to deliver their malware.

The attacks spotted by Cisco Talos were carried out by a Babuk ransomware affiliate tracked as Tortilla that has been active since at least July 2021.


#Proxyshell in #tortillas recipe #ransomwareWe have seen a new actor named tortillas abusing proxyshell to run ransomware.The ransomware maybe born from the leaked #Babuk code. The attack is originated by the IP: 185.219.52.]229 @58_158_177_102 @sugimu_sec— TG Soft (@VirITeXplorer) October 14, 2021The attack chain starts with a downloader module on a victim’s server in the form of a standalone executable format and a DLL. The DLL downloader is run by the Exchange IIS worker process w3wp.exe.

Attackers used a modified EfsPotato exploit to target proxyshell and PetitPotam flaws as an initial downloader. The downloader runs an embedded obfuscated PowerShell command to download a packed downloader module from the threat actor’s infrastructure. The PowerShell command also executes an AMSI bypass to circumvent endpoint protection.

Then the loader will connect to ‘’ to download an intermediate unpacker module that decrypts the embedded Babuk ransomware payload in memory and injects it into a newly created NET Framework process (AddInProcess32).


“The Babuk ransomware module, running within the process AddInProcess32, enumerates the processes running on the victim’s server and attempts to disable a number of processes related to backup products, such as Veeam backup service. It also deletes volume shadow service (VSS) snapshots from the server using vssadmin utility to make sure the encrypted files cannot be restored from their VSS copies. The ransomware module encrypts the files in the victim’s server and appends a file extension .babyk to the encrypted files.” reads the analysis published by Talos.

The Tortilla group is demanding a $10,000 USD ransom in Monero to recover the encrypted documents.

The analysis of DNS request distribution to the malicious domains revealed that most of the requests were coming from the U.S.. Experts observed a smaller number of impacted users in the U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.

hacking, Babuk Ransomware)

The post Threat actor exploits MS ProxyShell flaws to deploy Babuk ransomware appeared first on Security Affairs.