Connect with us

Hi, what are you looking for?



Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

The recently identified Buhti operation uses LockBit and Babuk ransomware variants to target Linux and Windows systems.

A recently identified ransomware operation called Buhti is using LockBit and Babuk variants to target both Linux and Windows systems, Symantec reports.

Initially observed in February 2023, the Buhti operation, which Symantec calls Blacktail, has been rapidly expanding since mid-April, exploiting recent vulnerabilities for initial access, and relying on a custom tool to steal victim files.

In a recent attack, the Buhti operators used a minimally modified version of the LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit leaked online in September 2022.

Previously, the operators were seen targeting Linux systems with the Golang-based variants of Babuk, the first ransomware to target ESXi systems. Babuk’s code leaked online in 2021.

Blacktail was also seen using a custom information stealer written in Golang, which searches the victim machine for specific files, including documents, archives, presentations, and audio and video files, and compresses them in a .ZIP archive.

The attackers can use command-line arguments to configure the tool to search within specific directories, and can also name the output archive.

The Blacktail group was also seen exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution that has been exploited in the wild since mid-April.

“The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network,” Symantec notes.

Advertisement. Scroll to continue reading.

The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, also leading to remote code execution.

Kaspersky senior security researcher Marc Rivero told SecurityWeek that Buhti has been observed targeting organizations in Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: Rheinmetall Says Military Business Not Impacted by Ransomware Attack

Related: Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.