Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

The recently identified Buhti operation uses LockBit and Babuk ransomware variants to target Linux and Windows systems.

A recently identified ransomware operation called Buhti is using LockBit and Babuk variants to target both Linux and Windows systems, Symantec reports.

Initially observed in February 2023, the Buhti operation, which Symantec calls Blacktail, has been rapidly expanding since mid-April, exploiting recent vulnerabilities for initial access, and relying on a custom tool to steal victim files.

In a recent attack, the Buhti operators used a minimally modified version of the LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit leaked online in September 2022.

Previously, the operators were seen targeting Linux systems with the Golang-based variants of Babuk, the first ransomware to target ESXi systems. Babuk’s code leaked online in 2021.

Blacktail was also seen using a custom information stealer written in Golang, which searches the victim machine for specific files, including documents, archives, presentations, and audio and video files, and compresses them in a .ZIP archive.

The attackers can use command-line arguments to configure the tool to search within specific directories, and can also name the output archive.

The Blacktail group was also seen exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution that has been exploited in the wild since mid-April.

Advertisement. Scroll to continue reading.

“The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network,” Symantec notes.

The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, also leading to remote code execution.

Kaspersky senior security researcher Marc Rivero told SecurityWeek that Buhti has been observed targeting organizations in Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: Rheinmetall Says Military Business Not Impacted by Ransomware Attack

Related: Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The personal and health information of more than 3.3 million individuals was stolen in a ransomware attack at Regal Medical Group.