Buhti Ransomware Dissection

Researchers have identified a ransomware operation that recoded from leaked LockBit and Babuk payloads into Buhti ransomware to launch attacks on both Windows and Linux systems.

The attackers leveraging the Buhti ransomware is their ability to quickly exploit newly disclosed vulnerabilities, including PaperCut, IBM Aspera and many others to bypass authentication and remotely execute code, providing them with unauthorized access to targeted systems.

The Buhti ransomware payload targeting Windows computers is a slightly modified version of the leaked LockBit 3.0 ransomware. Encrypted files get the .buhti extension, and victims receive a ransom note outlining the demands and instructions for payment.

Buhti ransom note (Source: Symantec)

Buhti employs a variant of the leaked Babuk ransomware in order to target Linux systems. They may be using leaked and rebranded ransomware payloads, but Blacktail leverages a custom data-exfiltration tool to steal specific file types from compromised systems.

The attackers also use legitimate remote access tools like AnyDesk, ConnectWise and cracked versions of pentesting tools like Cobalt Strike to access the computer, steal data and deliver the ransomware payload.

Since there is no direct connection between Buhti and any known cybercrime organization, the researchers have dubbed the operators Blacktail. The reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation,

Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated.

Indicators of Compromise

• 063fcedd3089e3cea8a7e07665ae033ba765b51a6dc1e7f54dde66a79c67e1e7
• eda0328bfd45d85f4db5dbb4340f38692175a063b7321b49b2c8ebae3ab2868c
• e5d65e826b5379ca47a371505678bca6071f2538f98b5fef9e33b45da9c06206
• d65225dc56d8ff0ea2205829c21b5803fcb03dc57a7e9da5062cbd74e1a6b7d6
• d259be8dc016d8a2d9b89dbd7106e22a1df2164d84f80986baba5e9a51ed4a65
• 8b5c261a2fdaf9637dada7472b1b5dd1d340a47a00fe7c39a79cf836ef77e441
• 898d57b312603f091ff1a28cb2514a05bd9f0eb55ace5d6158cc118d1e37070a
• 515777b87d723ebd6ffd5b755d848bb7d7eb50fc85b038cf25d69ca7733bd855
• 4dc407b28474c0b90f0c5173de5c4f1082c827864f045c4571890d967eadd880
• 22e74756935a2720eadacf03dc8fe5e7579f354a6494734e2183095804ef19fe
• 18a79c8a97dcfff57e4984aa7e74aa6ded22af8e485e807b34b7654d6cf69eef
• 01b09b554c30675cc83d4b087b31f980ba14e9143d387954df484894115f82d4
• 7eabd3ba288284403a9e041a82478d4b6490bc4b333d839cc73fa665b211982c
• 287c07d78cafc97fb4b7ef364a228b708d31e8fe8e9b144f7db7d986a1badd52
• 32e815ef045a0975be2372b85449b25bd7a7c5a497c3facc2b54bcffcbb0041c
• 5b3627910fe135475e48fd9e0e89e5ad958d3d500a0b1b5917f592dc6503ee72
• d59df9c859ccd76c321d03702f0914debbadc036e168e677c57b9dcc16e980cb
• de052ce06fea7ae3d711654bc182d765a3f440d2630e700e642811c89491df72
• 65c91e22f5ce3133af93b69d8ce43de6b6ccac98fc8841fd485d74d30c2dbe7b
• 8041b82b8d0a4b93327bc8f0b71672b0e8f300dc7849d78bb2d72e2e0f147334
• 8b2cf6af49fc3fb1f33e94ad02bd9e43c3c62ba2cfd25ff3dfc7a29dde2b20f2
• 97378d58815a1b87f07beefb24b40c5fb57f8cce649136ff57990b957aa9d56a
• c33e56318e574c97521d14d68d24b882ffb0ed65d96203970b482d8b2c332351
• 9b8adde838c8ea2479b444ed0bb8c53b7e01e7460934a6f2e797de58c3a6a8bf
• 9f0c35cc7aab2984d88490afdb515418306146ca72f49edbfbd85244e63cfabd
• ca6abfa37f92f45e1a69161f5686f719aaa95d82ad953d6201b0531fb07f0937
• bdfac069017d9126b1ad661febfab7eb1b8e70af1186a93cb4aff93911183f24
• 91.215.85[.]183
• 81.161.229[.]120