New Buhti ransomware uses leaked payloads and public exploits

A newly identified ransomware operation has refashioned leaked LockBit and Babuk payloads into Buhti ransomware, to launch attacks on both Windows and Linux systems.

Use of public exploits

One notable aspect of the attackers leveraging the Buhti ransomware is their ability to quickly exploit newly disclosed vulnerabilities (e.g., the recently patched PaperCut and IBM Aspera Faspex flaws).

The attackers are leveraging public exploits, Dick O’Brien, principal intelligence analyst with Symantec Threat Hunter team told Help Net Security. These enable the threat actors to bypass authentication and remotely execute code, providing them with unauthorized access to targeted systems.

Buhti ransomware targets Windows and Linux devices

The Buhti ransomware payload targeting Windows computers is a slightly modified version of the leaked LockBit 3.0 ransomware.

Encrypted files get the .buhti extension, and victims receive a ransom note outlining the demands and instructions for payment.

Buhti ransomware

Buhti ransom note (Source: Symantec)

To target Linux systems, Buhti employs a variant of the leaked Babuk ransomware.

“Babuk was one of the first ransomware actors to target ESXi systems with a Linux payload. Babuk’s source code was leaked in 2021 and since then has been adopted and reused by multiple ransomware operations,” Symantec explained.

The text of the ransom note is always the same, but the payment address provided is different.

Leveraging leaked, custom and legitimate tools

They may be using leaked and rebranded ransomware payloads, but Blacktail leverages a custom data-exfiltration tool to steal specific file types from compromised systems.

“The tool can be configured via command-line arguments to specify both the directory to search for files of interest in and the name of the output archive,” the researchers said.

The attackers also use legitimate remote access tools (AnyDesk, ConnectWise) and cracked versions of pentesting tools like Cobalt Strike to access the computer, steal data and deliver the ransomware payload.

Given the absence of a direct connection between Buhti and any known cybercrime organization, the researchers have dubbed the operators “Blacktail”.

“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated,” Symantec has concluded.

Don't miss