Italian Software House active in antimalware research and antivirus development since 1992. VirIT eXplorer is the name of our antivirus suite.
Oct 14, 2021 • 4 tweets • 3 min read
#Proxyshell in #tortillas recipe #ransomware
We have seen a new actor named tortillas abusing proxyshell to run ransomware.
The ransomware maybe born from the leaked #Babuk code.
The attack is originated by the IP: 185.219.52.]229 @58_158_177_102@sugimu_sec
Chain: proxyshell -> webshell (a lot) -> certutil -> download and execute the payload.
The encrypted files has .babyk extension and end with "choung dong looks like hot dog!!" string that is typical from #Babuk, but the ransom note are different.
So we guess they used Babuk code.