New Tortilla threat actor: Babuk ransomware targeting Exchange servers

Researchers report the new attack aiming to exploit Microsoft Exchange ProxyShell vulnerabilities for ransomware

Tortilla aims at exchange serversProxyShell attacks used to spread Babuk ransomware around, Cisco Talos informs companies.

Cisco Talos informs[1] companies about the new variant of Babuk ransomware aiming at exchange servers.[2] Most victims of this Tortilla actor campaign are located in the U.S. The cybercriminal known as Tortilla released the new round of ProxyShell attacks on Microsoft Exchange servers that were vulnerable at the time. The aim of the infiltration is to release the Babuk ransomware virus. According to the research team, the malicious campaign was noticed on October 12.

This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines.

This threat actor Tortilla is operating since July at least and is mainly targeting victims in the United States. However, some of the victims are reportedly found in Brazil, Finland, Germany, Honduras, Ukraine, Thailand, and the United Kingdom.

The actor is known for other activities related to PowerShell-based Netcat clone PowerCat that was used to read and write to network connections.[3] Using the TCP and UDP the networking tool can be used to provide attackers with unauthorized access to Windows machines.

The exploitation of vulnerabilities

This ProxyShell attack name is used to describe the chain of three vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. The remote attacker manages to enable the unauthenticated access and code execution that leads to plain text password theft. The attack has been analyzed, and the research teams disclosed that attackers exploit ProxyShell to launch various web-shell attacks and target Exchange. One of those – LockFile ransomware[4] campaign.

In this recent Cisco Talos report, the team states that the attacker employs an unusual infection method – chain technique where the intermediate unpacking module is hosted on the (clone of delivers the Babuk ransomware. The code is downloaded and placed in the memory before the final payload is executed. This is the new feature of the particular October 2021 campaign.

Infection authors rely on DLL and NET executable files that help to start things on the targeted machines. The additional processes can invoke shell commands and requests of the ransomware payload drop. Then the infection can launch its encryption process in the server and other mounted drives.

Babuk ransomware deployment

The ransomware distributed in the malicious Tortilla campaign Babuk virus is a known infection that already affected many large targets. One of the most known – Washington D.C police force that for breached in April.[5] This is the fairly new ransomware running since the beginning of 2021, but the double-extortion[6] feature makes the threat extremely dangerous and profitable for the creators. The attackers claim to post the stolen data of the victim decides to ignore the payment demands after the file encryption procedure.

Unfortunately, the threat actors have successfully affected machines. The group of criminals managed to get $85,000 after the infection and received payments from at least five big companies. The threat encodes files, steals the information, destroys backups, and deletes shadow volume copies to keep recovery options to little if possible.

The threat is described as the flexible ransomware that can be compiled for various different operating systems. These recent campaigns are discovered to target Windows, but there are particular platforms that allow the ransomware versions to be compiled for different devices. The Tortilla can scan the internet to find exploitable and vulnerable hosts, so researchers recommend staying on top of things and implementing layered defense security:

Organizations and defenders should remain vigilant against such threats and should implement a layered defense security with the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions