Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Exchange ProxyShell Exploits Used to Deploy Babuk Ransomware

Microsoft Exchange ProxyShell Exploits Used to Deploy Babuk Ransomware

A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.

The ProxyShell attacks against vulnerable Microsoft Exchange servers started several months ago, with LockFile and Conti being among the first ransomware groups to exploit them.

The name Tortilla is based on malicious executables spotted in campaigns using the name Tortilla.exe.

Also Read: How To Comply With PDPA: A Checklist For Businesses

Starts with Exchange

The Babuk ransomware attack starts with a DLL, or .NET executable dropped on the Exchange server using the ProxyShell vulnerability.

The Exchange IIS worker process w3wp.exe then executes this malicious payload to execute obfuscated PowerShell command that features endpoint protection bypassing, eventually invoking a web request to fetch a payload loader named ‘tortilla.exe.’

This loader will connect to ‘’ and download a payload that is loaded into memory and injected into a NET Framework process, which ultimately encrypts the device with the Babuk Ransomware.

Infection chain diagram
Infection chain diagram
Source: Cisco

Although Cisco analysts found evidence of ProxyShell vulnerability exploitation in most infections, most notably the ‘China Chopper’ web shell, the telemetry data reflects a broad spectrum of attempted exploits.

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

More specifically, Tortilla followed these pathways to drop the DLL and .NET modules:

  • Microsoft Exchange auto-discover server-side request forgery attempt
  • Atlassian Confluence OGNL injection remote code execution attempt
  • Apache Struts remote code execution attempt
  • WordPress wp-config.php access via directory traversal attempt
  • SolarWinds Orion authentication bypass attempt
  • Oracle WebLogic Server remote command execution attempt
  • Liferay arbitrary Java object deserialization attempt

As these attacks rely on patched vulnerabilities, it is strongly advised that all admins upgrade their servers to the latest versions to prevent them from being exploited in attacks.

Using Babuk in new attacks

Babuk Locker is a ransomware operation launched at the beginning of 2021 when it began targeting businesses and encrypting their data in double-extortion attacks.

After conducting an attack on the Washinton DC’s Metropolitan Police Department (MPD), and feeling the heat from U.S. law enforcement, the ransomware gang shut down their operation.

After the source code for the first version of Babuk and a builder were leaked on hacking forums, other threat actors began utilizing the ransomware to launch their own attacks.

It is unclear if Tortilla was an affiliate of Babuk back when the RaaS was active or if they just grabbed the strain’s source code when it came out to conduct new attacks.

However, as the ransom note used in these attacks ask for a low $10,000 in Monero, it is likely not conducted by the original Babuk operation, who demanded far larger ransomware in Bitcoin.

Tortilla's ransom note
Tortilla’s ransom note
Source: Cisco

Targeting the USA

Although Talos researchers noticed some attacks in Germany, Thailand, Brazil, and the U.K., most of Tortilla’s targets are U.S.-based.

The I.P. address of the download server is located in Moscow, Russia, which could indicate the origin of these attacks, but there are no attribution conclusions in the report.

Also, the ‘’ domain used for the unpacking stage has been previously abused by AgentTesla and FormBook distribution campaigns.

Victim heatmap
Victim heatmap
Source: Cisco

While a decryptor was previously released for Babuk ransomware, it can only decrypt victims whose private keys were part of the source code leak.

Therefore, threat actors can continue to use the Babuk ransomware strain to launch their own operations, such as what we are seeing with the Tortilla threat actor.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us