The scientists found evidence that the attackers are using a China Chopper web shell for the first intrusion and then using that to install Babuk. 

The vulnerabilities, identified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, were resolved in April and May, including technical details publicly disclosed in August. An unauthenticated attacker can use the flaws to execute arbitrary code. 

Operations targeting the security vulnerabilities have indeed been underway for some months, according to Cisco experts, as well as the Tortilla threat actor, which has been operational since July 2021, has begun attacking the Exchange Server vulnerability. 

An intermediate unpacking component is downloaded via pastebin.pl (a pastebin.com clone) and afterward decoded in memory before the ultimate payload is encrypted and run. For the original attack, Cisco Talos discovered a customized EfsPotato attack that targets both the ProxyShell and PetitPotam flaws. 

When the Babuk ransomware is activated, it tries to deactivate a range of procedures on the victim server, stops backup products, and erases volume shadow service (VSS) snapshots. Following that, it encodes all files on the server and adds the file extension .babyk to them. The ransomware subsequently issues a ransom note seeking a $10,000 ransom payment from the victim in return for the decryption key. 

“Organizations should regularly update their servers and applications with the latest available patches from the vendors eliminating the vulnerabilities in their environment. Defenders should be constantly looking for suspicious events generated by detection systems for abrupt service termination, abnormally high I/O rates for drives attached to their servers, the deletion of shadow copies, or system configuration changes,” Cisco Talos said. 

Babuk, which was first disclosed in January 2021, targets both Windows and Linux computers in business situations and employs a highly sophisticated key generation process to hinder file recovery.