The attacks spotted by Cisco Talos were carried out by a Babuk ransomware affiliate tracked as Tortilla that has been active since at least July 2021.
The attack chain starts with a downloader module on a victim’s server in the form of a standalone executable format and a DLL. The DLL downloader is run by the Exchange IIS worker process w3wp.exe.
Attackers used a modified EfsPotato exploit to target proxyshell and PetitPotam flaws as an initial downloader. The downloader runs an embedded obfuscated PowerShell command to download a packed downloader module from the threat actor’s infrastructure. The PowerShell command also executes an AMSI bypass to circumvent endpoint protection.
Then the loader will connect to ‘pastebin.pl’ to download an intermediate unpacker module that decrypts the embedded Babuk ransomware payload in memory and injects it into a newly created NET Framework process (AddInProcess32).
“The Babuk ransomware module, running within the process AddInProcess32, enumerates the processes running on the victim’s server and attempts to disable a number of processes related to backup products, such as Veeam backup service. It also deletes volume shadow service (VSS) snapshots from the server using vssadmin utility to make sure the encrypted files cannot be restored from their VSS copies. The ransomware module encrypts the files in the victim’s server and appends a file extension .babyk to the encrypted files.” reads the analysis published by Talos.
The Tortilla group is demanding a $10,000 USD ransom in Monero to recover the encrypted documents.
The analysis of DNS request distribution to the malicious domains revealed that most of the requests were coming from the U.S.. Experts observed a smaller number of impacted users in the U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.
(SecurityAffairs – hacking, Babuk Ransomware)