"New Buhti Ransomware Gang Uses Leaked Windows, Linux Encryptors"

A new ransomware operation, "Buhti," targets Windows and Linux systems using leaked code from the LockBit and Babuk ransomware families. Although the threat actors behind Buhti, now tracked as "Blacktail," have not developed their own ransomware strain, they have created a custom data exfiltration tool to double-extort victims. In February 2023, Palo Alto Networks' Unit 42 team identified Buhti as a Linux-targeting ransomware written in Go. Symantec's Threat Hunter team has published a new report showing that Buhti also targets Windows using a modified LockBit 3.0 variant named "LockBit Black." Blacktail uses the Windows LockBit 3.0 builder leaked by a disgruntled developer on Twitter in September 2022. For Linux attacks, Blacktail uses a payload based on the Babuk source code posted on a Russian-language hacking forum in September 2021. Malware reuse is typically a sign of less sophisticated actors. However, in this case, multiple ransomware groups gravitate towards Babuk due to its demonstrated ability to compromise VMware ESXi and Linux systems. Targeting these systems has been profitable for cybercriminals. This article continues to discuss the use of leaked Windows and Linux encryptors by the Buhti ransomware gang. 

Bleeping Computer reports "New Buhti Ransomware Gang Uses Leaked Windows, Linux Encryptors"