A newly discovered ransomware operation named Buhti, also referred to as Blacktail by Symantec, has been rapidly expanding since mid-April 2023. The operation uses LockBit and Babuk ransomware variants to target both Linux and Windows systems. Initially observed in February 2023, Buhti exploits recent vulnerabilities for initial access and relies on a custom tool to steal files from its victims.
In a recent attack, Buhti operators employed a slightly modified version of LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit was leaked online in September 2022. Prior to this, the threat actors targeted Linux systems using Golang-based variants of Babuk, which was the first ransomware to target ESXi systems. The source code for Babuk was leaked online in 2021.
Blacktail has also been observed using a custom information stealer written in Golang. This tool searches the victim's machine for specific file types, such as documents, archives, presentations, and audio and video files, and compresses them into a .ZIP archive. The attackers can use command-line arguments to configure the tool to search within specific directories and can also name the output archive.
The Blacktail group exploited recent vulnerabilities, including CVE-2023-27350, a flaw in PaperCut NG/MF that leads to remote code execution. This vulnerability has been exploited in the wild since mid-April. Symantec noted, “The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network.” The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, which also results in remote code execution.
Marc Rivero, a senior security researcher at Kaspersky, informed that Buhti has been observed targeting organizations in various countries, including Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.