A new ransomware operation called 'Buhti' has surfaced, targeting Windows and Linux systems using the leaked code from the LockBit and Babuk ransomware families. The threat actors behind Buhti, now known as 'Blacktail,' have not developed their own ransomware strain but have created a custom data exfiltration utility for blackmailing victims, employing the double-extortion tactic. Buhti was first observed in the wild in February 2023 by Palo Alto Networks' Unit 42 team, which classified it as a Go-based Linux-targeting ransomware. A report released today by Symantec's Threat Hunter team reveals that Buhti also targets Windows, using a slightly modified LockBit 3.0 variant named 'LockBit Black.'
Blacktail utilizes the Windows LockBit 3.0 builder, which a dissatisfied developer leaked on Twitter in September 2022. Successful attacks alter the wallpaper of compromised computers, instructing victims to open the ransom note, while all encrypted files receive the '.buthi' extension. For Linux attacks, Blacktail employs a payload based on the Babuk source code that a threat actor posted on a Russian-speaking hacking forum in September 2021. Earlier this month, SentinelLabs and Cisco Talos reported cases of new ransomware operations using Babuk to attack Linux systems. Although malware reuse is generally considered a sign of less sophisticated actors, in this instance, multiple ransomware groups are attracted to Babuk due to its proven ability to compromise VMware ESXi and Linux systems, which are highly profitable for cybercriminals.
Blacktail is not merely a copycat that repurposes other hackers' tools with minimal modifications. The new group uses its own custom exfiltration tool and a unique network infiltration strategy. Symantec reports that Buhti attacks have been exploiting the recently disclosed PaperCut NG and MF RCE vulnerability, which the LockBit and Clop gangs have also taken advantage of. The attackers rely on CVE-2023-27350 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise on target computers, using them to steal credentials, move laterally into compromised networks, steal files, launch additional payloads, and more. In February, the gang exploited CVE-2022-47986, a critical remote code execution flaw impacting the IBM Aspera Faspex file exchange product.
Buhti's exfiltration tool is a Go-based stealer that can receive command-line arguments specifying the targeted directories in the filesystem. The tool targets file types such as pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx, and yaml. The files are copied into a ZIP archive and later exfiltrated to Blacktail's servers. Blacktail and its ransomware operation Buhti exemplify how easy it is for emerging threat actors to use effective malware tools and cause significant damage to organizations. Additionally, the leaked LockBit and Babuk source code can be utilized by existing ransomware gangs who wish to rebrand under a different name, leaving no connection to previous encryptors. Blacktail's strategy of quickly adopting exploits for newly disclosed vulnerabilities makes them a formidable threat that demands increased vigilance and proactive defense measures like timely patching.