Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

The recently identified Buhti operation uses LockBit and Babuk ransomware variants to target Linux and Windows systems.

The recently identified Buhti operation uses LockBit and Babuk ransomware variants to target Linux and Windows systems.

A recently identified ransomware operation called Buhti is using LockBit and Babuk variants to target both Linux and Windows systems, Symantec reports.

Initially observed in February 2023, the Buhti operation, which Symantec calls Blacktail, has been rapidly expanding since mid-April, exploiting recent vulnerabilities for initial access, and relying on a custom tool to steal victim files.

In a recent attack, the Buhti operators used a minimally modified version of the LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit leaked online in September 2022.

Previously, the operators were seen targeting Linux systems with the Golang-based variants of Babuk, the first ransomware to target ESXi systems. Babuk’s code leaked online in 2021.

Blacktail was also seen using a custom information stealer written in Golang, which searches the victim machine for specific files, including documents, archives, presentations, and audio and video files, and compresses them in a .ZIP archive.

The attackers can use command-line arguments to configure the tool to search within specific directories, and can also name the output archive.

The Blacktail group was also seen exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution that has been exploited in the wild since mid-April.

“The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network,” Symantec notes.

Advertisement. Scroll to continue reading.

The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, also leading to remote code execution.

Kaspersky senior security researcher Marc Rivero told SecurityWeek that Buhti has been observed targeting organizations in Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: Rheinmetall Says Military Business Not Impacted by Ransomware Attack

Related: Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

Related Content


LockBit appears to once again be the most active ransomware group, but experts believe the hackers may just be inflating their numbers. 

Data Breaches

Keytronic confirms that personal information was compromised after a ransomware group leaked allegedly stolen data.

Data Breaches

Ascension says patient information was stolen in an early-May ransomware attack that involved an employee downloading malware.


The Black Basta ransomware gang may have exploited the Windows privilege escalation flaw CVE-2024-26169 before it was patched.


The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure.

Data Breaches

Auction house Christie's says the data breach caused by the recent ransomware attack impacts the information of 45,000 individuals.

Data Breaches

Frontier Communications is notifying over 750,000 individuals that their personal information was stolen in a recent data breach.


A Russian cyber gang is believed to be behind a ransomware attack that disrupted London hospitals and led to operations and appointments being canceled.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version