Attackers used a modified EfsPotato exploit to target proxyshell and PetitPotam flaws as an initial downloader.
The downloader runs an embedded obfuscated PowerShell command to download a packed downloader module from the threat actor’s infrastructure.
The PowerShell command also executes an AMSI bypass to circumvent endpoint protection.
Then the loader will connect to ‘pastebin.pl’ to download an intermediate unpacker module that decrypts the embedded Babuk ransomware payload in memory and injects it into a newly created NET Framework process (AddInProcess32).
The Babuk ransomware module, running within the process AddInProcess32, enumerates the processes running on the victim’s server and attempts to disable a number of processes related to backup products, such as Veeam backup service.
It also deletes volume shadow service (VSS) snapshots from the server using vssadmin utility to make sure the encrypted files cannot be resored from their VSS copies. The ransomware module encrypts the files in the victim’s server and appends a file extension .babyk to the encrypted files
The Tortilla group is demanding a $10,000 USD ransom in Monero to recover the encrypted documents.