Buhti Ransomware Adopts Stolen Encryptors For Windows & Linux

By   Olivia William
Writer , Information Security Buzz | May 25, 2023 03:01 am PST

The perpetrators behind the budding Buhti ransomware have abandoned their own payload in favor of exploiting vulnerabilities in Windows and Linux using the exposed LockBit and Babuk ransomware families.

The cybersecurity firm knows them as Blacktail and is following them. In February 2023, Palo Alto Networks Unit 42 first brought attention to Buhti, claiming it as a Golang ransomware that specifically targets Linux.

Bitdefender then disclosed later that month that a Windows variant was used to attack Zoho ManageEngine products that have serious remote code execution weaknesses (CVE-2022-47966).

In subsequent observations, the actors have been seen rapidly abusing more critical issues affecting IBM’s Aspera Faspex file exchange application (CVE-2022-47986) and PaperCut (CVE-2023-27350) to release the ransomware.

Symantec’s most recent findings suggest a shift in Blacktail’s strategy, as the actor is now using modified versions of the stolen LockBit 3.0 and Babuk ransomware source code to attack Windows and Linux, respectively.

In September 2021 and September 2022, respectively, the ransomware source code for Babuk and LockBit was made publicly available online, inspiring a slew of copycats.

The Bl00dy Ransomware Gang, recently highlighted by U.S. government agencies for targeting insecure PaperCut servers in assaults against the education sector in the country, is one famous cybercrime outfit that is already using the LockBit ransomware constructor.

Despite the name change, Blacktail has been seen using the same proprietary data exfiltration program written in Go that was used previously under the old name. This application is designed to steal files with specified extensions and then encrypt them.

While Blacktail’s use of previously leaked payloads is indicative of a less sophisticated ransomware operation, Symantec warns that it should not be underestimated because of Blacktail’s general competence in carrying out attacks and its ability to recognize the utility of newly discovered vulnerabilities.

The threat of ransomware is constant for businesses. Earlier this month, Fortinet FortiGuard Labs described the Maori ransomware family, written in Go and optimized for Linux.

The employment of Go and Rust is indicative of a dynamic cybercrime environment where new methods are continuously adopted and of a desire on the part of threat actors to produce “adaptive” cross-platform ransomware and increase the attack surface.

According to Kaspersky’s ransomware trends report for 2023, “major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other cybercriminals,” potentially enhancing the capability of their own virus.

Cyble claims that the new ransomware family Obsidian ORB is inspired by the Chaos ransomware family that has served as the basis for earlier ransomware strains such as BlackSnake and Onyx.

The ransomware is notable because it uses a novel ransom payment technique, requiring victims to pay the ransom with gift cards rather than money. Threat actors (TAs) can adapt the code, making this strategy effective and convenient, according to the cybersecurity industry.


A new ransomware operation known as ‘Buhti’ targets Windows and Linux systems using exposed code from the LockBit and Babuk ransomware families. In order to double-extort its victims, the threat actors behind Buhti (now known as “Blacktail”) have not developed their own ransomware strain, but they have developed a unique data exfiltration tool. In February 2023, the Unit 42 team at Palo Alto Networks identified Buhti as a Go-based Linux-targeting ransomware written in Go. Today’s report by Symantec’s Threat Hunter team indicates that Buhti also targets Windows using a variant of LockBit 3.0 codenamed “LockBit Black.”

Blacktail employs the Windows LockBit 3.0 builder that a dissatisfied developer disclosed on Twitter in September 2022. Successful attacks alter the desktop background of compromised computers to instruct victims to open the ransom note and encrypt all files with the “.buthi” extension. Blacktail employs a payload based on the Babuk source code, which a threat actor posted on a Russian-language hacking forum in September 2021 for Linux attacks. SentinelLabs and Cisco Talos highlighted new ransomware attacks using Babuk against Linux systems earlier this month. While malware reuse is typically a sign of less sophisticated actors, in this instance, multiple ransomware groups gravitate towards Babuk due to its demonstrated ability to compromise highly lucrative VMware ESXi and Linux systems.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x