A recently identified ransomware operation called Buhti is using LockBit and Babuk variants to target both Linux and Windows systems, Symantec reports.
Initially observed in February 2023, the Buhti operation, which Symantec calls Blacktail, has been rapidly expanding since mid-April, exploiting recent vulnerabilities for initial access, and relying on a custom tool to steal victim files.
In a recent attack, the Buhti operators used a minimally modified version of the LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit leaked online in September 2022.
Previously, the operators were seen targeting Linux systems with the Golang-based variants of Babuk, the first ransomware to target ESXi systems. Babuk’s code leaked online in 2021.
Blacktail was also seen using a custom information stealer written in Golang, which searches the victim machine for specific files, including documents, archives, presentations, and audio and video files, and compresses them in a .ZIP archive.
The attackers can use command-line arguments to configure the tool to search within specific directories, and can also name the output archive.
The Blacktail group was also seen exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution that has been exploited in the wild since mid-April.
“The attackers exploited the vulnerability in order to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The tools were leveraged to steal data from, and deliver the ransomware payload to, multiple computers on the targeted network,” Symantec notes.
The group also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, also leading to remote code execution.
Kaspersky senior security researcher Marc Rivero told SecurityWeek that Buhti has been observed targeting organizations in Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US.