A newly discovered ransomware group codenamed “Buhti” is making use of both LockBit and Babuk variations to target Linux and Windows systems, according to Symantec’s latest reports.

This criminal Buhti operation, which Symantec calls “Blacktail” in a probable play on the way the group’s name sounds like another term referring to human anatomy, was first observed in February 2023 and has seen rapid growth since mid-April.

Their modus operandi seems to include a focus of exploiting recently disclosed vulnerabilities to gain a foothold in a victim network, then using a customized tool to extract victim’s data and encrypt them for ransom.

In one attack, the Buhti attackers used a slightly modified version of the LockBit 3.0 ransomware (aka, “LockBit Black”) ransomware to hit Windows machines. Researchers found the builder for LockBit as it was leaked online just a handful of months prior, in Fall 2022.

The favorite targets for the group actually shifted from targeting Linux systems with Golang-based variants of the “Babuk” ransomware, which was the first to target VMware ESXi systems (with Babuk’s code initially identified online back in 2021).

Blacktail has also been spotted utilizing a custom information extractor (written in Golang) which searches the victims’ machines for certain files—including presentations, standard productivity related documents, file archives, and even audio and video files—which it then compresses into a .ZIP archive for exfiltration.

These attackers use command-line arguments to set up the software to search in specific folders, customized according to target. The cartel also favored exploitation of recent vulnerabilities like CVE-2023-27350: a PaperCut NG/MF flaw through which remote code execution can be achieved (first seen in only mid-April).

Symantec explained, “The attackers exploited the vulnerability in order to install ConnectWise, Cobalt Strike, Meterpreter, Sliver, and AnyDesk, and these programs were then used to extract the data from and deliver the ransomware payload to as many computers as possible on the targeted network.”

According to Kaspersky senior security researcher Marc Rivero, Buhti has been seen targeting organizations in the United States, United Kingdom, Belgium, the Czech Republic, China, Estonia, Ethiopia, France, Germany, India, Spain, and Switzerland.

Does your organization have a solid ransomware protection program in place? If you’re not certain, now is an excellent time to contact Webcheck Security for a free discussion of your needs and a tailored quote for assistance from our expert and highly experienced virtual CISOs (vCISOs).