A new ransomware operation codenamed “Buhti” uses leaked code from the LockBit and Babuk ransomware families to target Windows and Linux systems respectively.

While the threat actors behind Buhti, now tracked as “Blacktail”, haven’t developed their own strain of ransomware, they have created a custom data exfiltration utility that they use to blackmail victims, a tactic known as “double extortion”.

Buhti was first spotted in the wild in February 2023 by Palo Alto Networks The Unit 42 teamwhich identified it as ransomware targeting Go-based Linux.

A report released today by Symantec Threat Hunter Team shows that Buhti also targets Windows, using a slightly modified variant of LockBit 3.0 named “LockBit Black”.

Ransomware Recycling

Blacktail uses Windows LockBit 3.0 builder that a disgruntled developer leaked on Twitter in September 2022.

Successful attacks change the wallpaper of hacked computers to tell victims to open the ransom note while all encrypted files are given the “.buthi” extension.

For Linux attacks, Blacktail uses a payload based on the Babuk source code that a threat actor job on a Russian-speaking hacking forum in September 2021.

Earlier this month, Sentinel Labs And Cisco Talos highlighted cases of new ransomware operations using Babuk to attack Linux systems.

While malware reuse is generally considered a sign of less sophisticated actors, in this case several ransomware groups gravitate to Babuk due to its proven ability to compromise highly profitable VMware ESXi and Linux systems. for cybercriminals.

Features of Blacktail

Blacktail is not just an imitator that reuses other hackers’ tools with minimal modifications. Instead, the new group uses its own custom exfiltration tool and a separate network infiltration strategy.

Symantec reports that Buhti’s attacks took advantage of the recently revealed PaperCut NG and MF RCE vulnerability that the The LockBit and Clop gangs also exploited.

The attackers rely on CVE-2023-27350 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise on target computers, using them to steal credentials and move laterally through compromised networks, steal files, launch additional payloads, and more.

In February, the gang exploited CVE-2022-47986a critical remote code execution flaw affecting the IBM Aspera Faspex file exchange product.

Buhti’s exfiltration tool is a Go-based thief that can receive command line arguments that specify targeted directories in the file system.

The tool targets the following file types for theft: pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml , zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx and yaml.

The files are copied into a ZIP archive and then exfiltrated to Blacktail’s servers.

Blacktail and its Buhti ransomware operation are a modern example of how easily would-be cybercriminals can spring into action using effective malicious tools and cause significant damage to organizations.

Additionally, the leaked LockBit and Babuk source code can be used by existing ransomware gangs who wish to rebrand under a different name, leaving no connection to previous encryptors.

Blacktail’s tactic of quickly adopting exploits for newly revealed vulnerabilities makes it a potent threat that requires heightened vigilance and proactive defense strategies such as timely patching.