Windows or Linux? Doesn’t matter! Buhti ransomware operation ready to hit any platform

A new ransomware operation called Buhti uses the leaked code of the LockBit and Babuk ransomware families to attack Windows and linux systems.

The attackers behind Buhti, who are tracked by security researchers as Blacktail, while not developing their own variant of ransomware, have created a custom data extraction tool that is used to blackmail victims. This tactic, popular with cybercriminals, is called “double extortion”.

Buhti for the first time was noticed in wild nature (ITW) in February 2023 by Unit 42 at Palo Alto Networks. Then they identified it as ransomware based on GoLinux oriented.

Report, published today researchers Symantec, shows that Buhti is also targeting Windows, using a slightly modified variant of LockBit 3.0 codenamed “LockBit Black”. Blacktail hackers are using the LockBit 3.0 builder for Windows, which was leaked to the public by a disgruntled LockBit developer in September 2022.

LockBit constructor leaked last September

Once the attack is complete, the malware changes the wallpaper of the affected computers to tell the victims to open the ransom note, while all encrypted files receive the “.buhti” extension.

Buhti ransom note

To attack Linux, Blacktail hackers use a payload based on the Babuk source code, which was posted on one of the cybercrime forums back in September 2021.

Earlier this month SentinelLabs And Cisco Talos reported cases of new ransomware operations using Babuk to attack Linux systems. And while the re-use of the same malware is usually considered a sign of some resource constraint in the attackers, in this case, the use of Babuk by hackers is due to its proven ability to compromise VMware ESXi and Linux systems.

Symantec reports that the Buhti attacks used recently disclosed PaperCut NG and MF RCE vulnerabilities, which also used gangs LockBit and Clop. In other words, attackers rely on a vulnerability CVE-2023-27350 to install Cobalt Strike, Meterpreter, Sliver, AnyDesk and ConnectWise on target computers. Subsequently, hackers use this software to steal credentials and traverse compromised networks, steal files, launch additional payloads, and much more.

As noted above, Blacktail hackers use their own exfiltration tool and a specific network penetration strategy, so they can hardly be called mere copycats who simply use other hackers’ tools with minimal modifications. The approach here is, anyway, quite innovative.

The exfiltration tool developed by the hackers is a Go-based hijacker that can receive command-line arguments specifying target directories on the file system. The tool is designed to steal the following file types: pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx and yaml. The files are copied into a ZIP archive and later transferred to the Blacktail servers.

Blacktail and its Buhti ransomware are a modern example of how it is easy for novice attackers to get into action using effective malware tools available in the public domain and cause significant damage to many organizations.

Blacktail’s tactic of quickly deploying exploits for newly discovered vulnerabilities makes them a powerful threat that requires increased vigilance and proactive defense strategies.