Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware


Level 37
Thread author
Top poster
Feb 4, 2016
A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.
The ProxyShell attacks against vulnerable Microsoft Exchange servers started several months ago, with LockFile and Conti being among the first ransomware groups to exploit them.

According to a report by researchers at Cisco Talos, a Babuk ransomware affiliate known as 'Tortilla' had joined the club in October, when the actor started using the 'China Chopper' web shell on breached Exchange servers.

The name Tortilla is based on malicious executables spotted in campaigns using the name Tortilla.exe.

Starts with Exchange​

The Babuk ransomware attack starts with a DLL, or .NET executable dropped on the Exchange server using the ProxyShell vulnerability.