Security News > 2021 > November > Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers
A new bad actor called Tortilla is running the campaign, and most affected users are in the U.S. Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware.
Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the new threat in a Talos Intelligence blog post.
The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.
The.NET executable version of the initial downloader is a modified variant of the EfsPotato exploit with code to download and trigger the next stage.
The Cisco Talos post has details on each phase and tool in the attack.
The researchers note the Babuk builder and its source code were leaked in July and that the Tortilla ransomware actor has been experimenting with different payloads.
News URL
Related news
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- VMware ESXi Servers Targeted by New Ransomware Variant from Cicada3301 Group (source)
- Germany seizes 47 crypto exchanges used by ransomware gangs (source)
- US sanctions crypto exchanges used by Russian ransomware gangs (source)