Buhti Ransomware Gang Switches Tactics, Leverages Leaked LockBit and Babuk Codes

May 25, 2023Ravie LakshmananEndpoint Security / Cyber ​​Threats

The threat actor behind the newborn Buhti ransomware have eschewed their particular payload in favor of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems.

“While the group did not develop the ransomware itself, it does make use of what appear to be specially developed, information-stealing tools designed to locate and archive certain file types,” Symantec said in a report shared with The Hacker News.

The cybersecurity firm is tracking down a cybercrime group with that name Black tail. Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023, describe it as the Golang ransomware which targets the Linux platform.

Later that month, Bitdefender disclosed the use of a Windows variant deployed in its Zoho ManageEngine product that was vulnerable to a critical remote code execution flaw (CVE-2022-47966).

The operator has since been observed quickly exploiting another severe bug affecting IBM’s Aspera Faspex (CVE-2022-47986) and PaperCut (CVE-2023-27350) file exchange applications to take down the ransomware.

Recent findings from Symantec suggest that Blacktail’s modus operandi may be changing, by leveraging modified versions of the leaked LockBit 3.0 and Babuk ransomware source code to target Windows and Linux respectively.

Both Babuk and LockBit own the source code of their ransomware published online in September 2021 and September 2022, spawned many imitators.

A well-known cybercrime group already using LockBit ransomware maker is Bl00dy Ransomware Gang, which was recently brought under scrutiny by US government agencies for exploiting vulnerable PaperCut servers in an attack on the country’s education sector.

Blacktail may have reused existing malware for efficiency reasons, but it uses a special data exfiltration utility written in Go designed to steal files with certain extensions in the form of ZIP archives before encryption.

“While reuse of leaked payloads is often a feature of less skilled ransomware operations, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize newly discovered utility vulnerabilities, demonstrates that it should not be underestimated,” said Symantec.

Ransomware continues to spawn a constant threats for company. Fortinet FortiGuard Labs, earlier this month, detailed a family of Go-based ransomware called Maori specifically designed to run on Linux systems.

While the use of Go and Rust indicates an interest on the part of threat actors to develop cross-platform ransomware that is “adaptive” and maximizes the attack surface, it is also a sign of an evolving cybercrime ecosystem where new techniques are continuously adopted. .

“Major ransomware gangs borrow capabilities from leaked code or code purchased from other cybercriminals, which can enhance the functionality of their own malware,” Kaspersky noted in the ransomware trends report for 2023.

Indeed, according to Cyble, the newly dubbed ransomware family Obsidian ORBs takes a leaf from Chaos, which is also its foundation other ransomware strains like Black snake and Onyx.

What makes the ransomware stand out is that it uses a rather typical ransom payment method, demanding victims pay the ransom via gift cards instead of cryptocurrency payments.

“This approach is effective and convenient for threat actors (TAs) as they can modify and adapt the code according to their preferences,” said the cybersecurity firm.