Buhti ransomware gang is a new threat to Windows and Linux systems, and its use of leaked code has made it easier for them to create a new ransomware variant. The group’s use of social engineering tactics has also made it easier for them to infect systems. Organizations should take steps to prevent and mitigate the impact of Buhti ransomware attacks by keeping software up to date, implementing multi-factor authentication, training employees, regularly backing up data, and using anti-virus and anti-malware software.
Buhti’s Tactics
Buhti ransomware gang has adopted a new tactic by utilizing the leaked code of LockBit and Babuk ransomware families123. This approach has allowed the group to create a new ransomware variant without the need to develop its own payload. The group has also been observed using social engineering tactics to trick users into downloading and executing the ransomware.Once the ransomware infects a system, it encrypts all files and demands a ransom payment in exchange for the decryption key. The ransom amount varies depending on the victim’s size and the value of the encrypted data. The group also threatens to leak the stolen data if the ransom is not paid.
Impact of Buhti Ransomware
Buhti ransomware has already caused significant damage to several organizations, including hospitals, financial institutions, and government agencies. The group’s use of leaked code has made it easier for them to create a new ransomware variant, which has resulted in a higher success rate of attacks.The group’s use of social engineering tactics has also made it easier for them to infect systems. The group has been observed using phishing emails, fake software updates, and other social engineering tactics to trick users into downloading and executing the ransomware.
TTPs of Buhti Ransomware Gang
The Buhti ransomware gang has switched tactics and is now utilizing leaked LockBit and Babuk ransomware code to target Windows and Linux systems34. Despite the change in tactics, the group is still using a custom data exfiltration utility to steal files prior to encryption3. The use of leaked code by ransomware gangs is becoming more common, and new ransomware families are constantly emerging with unique features and payment methods.The threat actors behind Buhti, now known as ‘Blacktail,’ have not developed their own ransomware strain but have created a custom data exfiltration utility for blackmailing victims, employing the double-extortion tactic124. Successful attacks alter the wallpaper of compromised computers, instructing victims to contact the attackers via email to receive payment instructions14.
Prevention and Mitigation
To prevent and mitigate the impact of Buhti ransomware attacks, organizations should take the following steps:
- Keep all software and operating systems up to date with the latest security patches.
- Implement multi-factor authentication to prevent unauthorized access to systems.
- Train employees on how to identify and avoid phishing emails and other social engineering tactics.
- Regularly back up all critical data and store it in a secure location.
- Use anti-virus and anti-malware software to detect and remove any malicious software.
Conclusion
Buhti ransomware gang is a new threat to Windows and Linux systems, and its use of leaked code has made it easier for them to create a new ransomware variant. The group’s use of social engineering tactics has also made it easier for them to infect systems. Organizations should take steps to prevent and mitigate the impact of Buhti ransomware attacks by keeping software up to date, implementing multi-factor authentication, training employees, regularly backing up data, and using anti-virus and anti-malware software. The emergence of Buhti ransomware gang highlights the importance of keeping software up to date and implementing strong security measures to protect against cyber threats.
Sources
- “New Buhti ransomware gang uses leaked Windows, Linux encryptors.” Bleeping Computer. May 25, 2023. https://www.bleepingcomputer.com/news/security/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/
- “Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code.” The Hacker News. May 25, 2023. https://thehackernews.com/2023/05/buhti-ransomware-gang-switches-tactics.html
- “Buhti Ransomware Gang Targets Windows and Linux Systems with Leaked Encryptors.” Vulnera. May 25, 2023. https://vulnera.com/newswire/buhti-ransomware-gang-targets-windows-and-linux-systems-with-leaked-encryptors/
- “Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code.” Hack Dojo. May 25, 2023. https://hackdojo.io/articles/65W55QOWY/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code
- “Buhti Ransomware Adopts Stolen Encryptors For Windows And Linux.” Information Security Buzz. May 25, 2023. https://informationsecuritybuzz.com/buhti-ransomware-adopts-stolen-encryptors-windows-linux/
- “New Buhti ransomware gang uses leaked Windows, Linux encryptors.” Reddit. April 29, 2023. https://www.reddit.com/r/cybersecurity/comments/13riht7/new_buhti_ransomware_gang_uses_leaked_windows/