{"id":89737,"date":"2021-11-10T10:36:14","date_gmt":"2021-11-10T10:36:14","guid":{"rendered":"https:\/\/www.stellarinfo.com\/blog\/?p=89737"},"modified":"2023-07-20T06:51:03","modified_gmt":"2023-07-20T06:51:03","slug":"babuk-ransomware-targeting-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.com\/blog\/babuk-ransomware-targeting-exchange-servers\/","title":{"rendered":"‘Tortilla’ Attacking Microsoft Exchange Servers with Babuk Ransomware"},"content":{"rendered":"

Tortilla, a new threat actor, is targeting organizations with unpatched Exchange Servers vulnerable to ProxyShell attacks. The threat actor is using the China Chopper Web Shell<\/strong> to spread the Babuk ransomware and demanding $10,000 ransom in XMR (Monero) cryptocurrency to decrypt the data encrypted by the ransomware.<\/p>

Tortilla’s ransom note:<\/strong><\/p>

\"ransome<\/figure>

Source: Cisco<\/strong><\/p>

What is Babuk Ransomware?<\/h2>

Babuk ransomware is a new ransomware discovered in early 2021 after it impacted at least 5 major organizations, including Washington D.C. Police Department. One of them even paid $85,000 ransom to the threat actors in order to get their data back.<\/p>

It was only after the source code of the first Babuk ransomware and builder was leaked on hacking forums that new threat actors and groups, such as Tortilla, began utilizing the ransomware to modify and launch their attacks.<\/p>

Babuk is one of the most infamous ransomware that encrypts the targeted Exchange Server, interrupts backups, and deletes VSS copies (Volume Shadow Copies), leaving no option for recovery.<\/p>

Although the threat actors behind the Babuk ransomware are targeting Exchange servers across the globe, most of its victims are from the United States. Some attacks are also noticed in Germany, Brazil, Thailand, and the United Kingdom. Furthermore, the attacks are predicted to increase as attackers are constantly scanning for vulnerable Exchange Servers using the auto-discover URL.<\/p>

How is Tortilla Attacking Vulnerable Exchange Servers with Babuk Ransomware?<\/h2>

ProxyShell is a set of three vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) identified by Microsoft in August 2021. When chained together, these vulnerabilities allow an attacker to bypass authentication, run malicious scripts, install web shells, backdoors, and perform unauthorized remote code execution on the targeted Exchange Server.<\/p>

Although Microsoft released updates back in April 2021 and May 2021 to patch ProxyShell vulnerabilities, several organizations are still unpatched and vulnerable to ProxyShell attacks.<\/p>

The threat actor starts the attack by exploiting the ProxyShell vulnerabilities to access the targeted Exchange Server. Once inside, the attacker drops DLL or .NET executable files on the compromised Exchange Server. Next, the Exchange Internet Information Services or IIS worker process w3wp.exe<\/strong> that handles the web requests sent to the IIS web server. The IIS process executes the malicious payload to execute another evasive PowerShell command, which bypasses the endpoint protection and invokes a web request to download the payload loader called ‘tortilla.exe.’<\/p>

This loader connects to the Pastebin.pl site to download a payload, loaded into the memory, and injected into the .NET framework process. This eventually starts to encrypt the server data and mounted drives with Babuk ransomware.  <\/p>

Although Czech cybersecurity firm Avast earlier released a decryptor for Babuk ransomware, it doesn’t work for this Babuk ransomware variant.<\/p>

The decryptor can decrypt files or data encrypted using the .babuk, .babyk, or .doydo extensions or whose keys were leaked with the Babuk ransomware source code.<\/p>

\"babuk<\/figure>

How to Protect your Organization from Babuk Ransomware?<\/h2>

According to a report by Shodan<\/a>, a search engine that allows users to search different types of Internet-connected servers, more than 25000 Exchange Servers are still unpatched and vulnerable to ProxyShell attacks as of November 9, 2021.<\/p>

\"vulnerable<\/figure>

To protect your organization from Babuk ransomware, update the Exchange Server. There is no other way around.<\/p>

It is highly suggested that you identify the vulnerabilities on your Exchange Server and patch them using latest Microsoft Cumulative Updates or Security Updates released for supported Exchange Server versions.<\/p>

You can follow the steps discussed below to identify the vulnerabilities and patch them to safeguard your organization against ProxyShell attacks.<\/p>