A recently identified ransomware operation called Buhti is using LockBit and Babuk variants to target both Linux and Windows systems, Symantec reports.
Initially observed in February 2023, the Buhti operation, which Symantec calls Blacktail, has been rapidly expanding since mid-April, exploiting recent vulnerabilities for initial access, and relying on a custom tool to steal victim files.
In a recent attack, the Buhti operators used a minimally modified version of the LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit leaked online in September 2022.
Previously, the operators were seen targeting Linux systems with the Golang-based variants of Babuk, the first ransomware to target ESXi systems. Babuk’s code leaked online in 2021.
Blacktail was also seen using a custom information stealer written in Golang, which searches the victim machine for specific files, including documents, archives, presentations, and audio and video files, and compresses them in a .ZIP archive.
The attackers can use command-line arguments to configure the tool to search within specific directories, and can also name the output archive.
The Blacktail group was also seen exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution that has been exploited in the wild since mid-April.
“The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network,” Symantec notes.
The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, also leading to remote code execution.
Kaspersky senior security researcher Marc Rivero told SecurityWeek that Buhti has been observed targeting organizations in Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.
Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS
Related: Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Related: Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

More from Ionut Arghire
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
- Chrome 114 Released With 18 Security Fixes
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
Latest News
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
