New Buhti ransomware uses leaked payloads and public exploits

A newly identified ransomware operation has refashioned leaked LockBit and Babuk payloads into Buhti ransomware, to launch attacks on both Windows and Linux systems.

Use of public exploits

One notable aspect of the attackers leveraging the Buhti ransomware is their ability to quickly exploit newly disclosed vulnerabilities (e.g., the recently patched PaperCut and IBM Aspera Faspex flaws).

The attackers are leveraging public exploits, Dick O’Brien, principal intelligence analyst with Symantec Threat Hunter team told Help Net Security. These enable the threat actors to bypass authentication and remotely execute code, providing them with unauthorized access to targeted systems.

Buhti ransomware targets Windows and Linux devices

The Buhti ransomware payload targeting Windows computers is a slightly modified version of the leaked LockBit 3.0 ransomware.

Encrypted files get the .buhti extension, and victims receive a ransom note outlining the demands and instructions for payment.

Buhti ransom note (Source: Symantec)

To target Linux systems, Buhti employs a variant of the leaked Babuk ransomware.

“Babuk was one of the first ransomware actors to target ESXi systems with a Linux payload. Babuk’s source code was leaked in 2021 and since then has been adopted and reused by multiple ransomware operations,” Symantec explained.

The text of the ransom note is always the same, but the payment address provided is different.

Leveraging leaked, custom and legitimate tools

They may be using leaked and rebranded ransomware payloads, but Blacktail leverages a custom data-exfiltration tool to steal specific file types from compromised systems.


Read more