Buhti Ransomware Operation Expands, Targeting Global Organizations
May 26, 2023
A newly discovered ransomware operation named Buhti, also referred to as Blacktail by Symantec, has been rapidly expanding since mid-April 2023. The operation uses LockBit and Babuk ransomware variants to target both Linux and Windows systems. Initially observed in February 2023, Buhti exploits recent vulnerabilities for initial access and relies on a custom tool to steal files from its victims.
In a recent attack, Buhti operators employed a slightly modified version of LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit was leaked online in September 2022. Prior to this, the threat actors targeted Linux systems using Golang-based variants of Babuk, which was the first ransomware to target ESXi systems. The source code for Babuk was leaked online in 2021.
Blacktail has also been observed using a custom information stealer written in Golang. This tool searches the victim's machine for specific file types, such as documents, archives, presentations, and audio and video files, and compresses them into a .ZIP archive. The attackers can use command-line arguments to configure the tool to search within specific directories and can also name the output archive.
The Blacktail group exploited recent vulnerabilities, including CVE-2023-27350, a flaw in PaperCut NG/MF that leads to remote code execution. This vulnerability has been exploited in the wild since mid-April. Symantec noted, “The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network.” The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, which also results in remote code execution.
Marc Rivero, a senior security researcher at Kaspersky, informed that Buhti has been observed targeting organizations in various countries, including Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.
Related News
- Buhti Ransomware Gang Targets Windows and Linux Systems with Leaked Encryptors
- FBI Warns of Bl00dy Ransomware Targeting Education Sector via PaperCut Vulnerability
- Iranian Hackers Target PaperCut Vulnerability in Latest Attack Wave
- New Exploit Bypasses Detection for Critical PaperCut Flaw
- Clop and LockBit Ransomware Gangs Target PaperCut Servers
Latest News
- China-Backed Cyber Campaign 'Volt Typhoon' Targets Critical Infrastructure
- Critical Vulnerability Patched in GitLab CE/EE Version 16.0.1
- Buhti Ransomware Gang Targets Windows and Linux Systems with Leaked Encryptors
- Barracuda ESG Appliances Breached Through Zero-Day Vulnerability
- OAuth Vulnerability in Expo Platform Impacts Numerous Third-Party Sites and Apps
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.