HQ/EMEAFind out how we can help your business
The Blacktail group has created the new Buhti ransomware by leveraging the leaked source code of the encryptor from Babuk and LockBit. Moreover, the group added a specially crafted infostealer to the ransomware to exfiltrate information.
The initial analysis claimed that the ransomware operation has no ties to known threat groups, implying that the developers came from the new Blacktail group.
The Buhti ransomware operation has already infected several devices.
New samples of the Buhti ransomware have appeared on multiple Windows computers. In addition, the operation leverages a modified version of the LockBit 3.0 variant. Researchers stated that the Windows LockBit 3.0 builder leaked in September last year. However, the initial discovery of the Buhti ransomware appeared last February and has only been exclusive in targeting Linux devices.
Blacktail utilised the Babuk source code for targeting Linux devices. The source code became publicly available in Russian hacking forums in September 2021. Analysts explained that the Buhti is not a copycat malware despite adopting its encryptor from leaked source codes since its developers have investigated efforts to generate custom exfiltration tools and network infiltration strategies.
Further study showed that the actors coded the exfiltration tool in the Go language, which could also steal documents, sort them, and exfiltrate them into an attacker-controlled server. Furthermore, the threat actors exploit the recently fixed PaperCut vulnerability that could target Windows and Linux devices.
The earliest malware samples discovered by researchers came from a February study during the exploitation of the deserialisation flaw in IBM’s Aspera Faspex. The threat actors tried to install legitimate tools such as Meterpreter, Cobalt Strike, Slive, AnyDes, and ConnectWise upon infection. The compromised devices include a malicious capability that could steal credentials, move across the network, and add payloads.
Buhti is an example of an emerging threat that could utilise leaked source code to build multi-OS ransomware. Moreover, leveraging recently disclosed vulnerabilities shows that Blacktail Group is constantly putting significant efforts into upgrading the Buhti ransomware.
Researchers should keep tabs on this newly discovered threat to immediately create defence strategies.
