Babuk Ransomware Campaign Targeting ProxyShell Vulnerabilities in Microsoft Exchange Server



According to Cisco Talos security experts, a new Babuk ransomware campaign is targeting Microsoft Exchange Server’s ProxyShell vulnerabilities.

The researchers discovered evidence that the attackers are compromising computers via a China Chopper web shell, which they then use to deploy Babuk.

The issues were identified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 in April and May, with technical details released in August. Unauthenticated attackers can use the flaws to execute arbitrary code.

Attacks on the Exchange Server weaknesses have been occurring for several months, according to Cisco experts, and the Tortilla threat actor, which has been active since July 2021, has begun targeting the flaws.

An intermediate unpacking module is downloaded from pastebin.pl (a pastebin.com clone) and then decoded in memory before the final payload is decrypted and run in the infection chain.

For the initial intrusion, Cisco Talos discovered a customised EfsPotato attack that targets both ProxyShell and PetitPotam vulnerabilities.

The Babuk ransomware attempts to disable a number of processes on the victim server, as well as suspend backup products and remove volume shadow service (VSS) snapshots, once it has been launched. It then encrypts all of the server’s files and appends the file extension. To them, I say babyk.

The ransomware then sends a ransom note to the victim, asking $10,000 in exchange for the decryption key.



Babuk has been targeting both Windows and Linux systems in enterprise contexts since January 2021, and it uses a pretty complicated key generation process to prevent file recovery. Last week, a free decryption tool for Babuk was revealed.

“Organizations should update their servers and applications on a regular basis with the latest vendor updates to eliminate vulnerabilities in their environment.” “Defenders should be on the lookout for unusual events triggered by detection systems, such as abrupt service termination, excessively high I/O speeds for discs associated to their servers, shadow copy deletion, or system configuration changes,” according to Cisco Talos.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.