Leaked LockBit, Babuk code leveraged by Buhti ransomware operation

BleepingComputer reports that Windows and Linux systems are being targeted by Blacktail's Buhti ransomware operation using leaked LockBit and Babuk ransomware source code. Attacks by Blacktail on Windows systems involve the use of the Windows LockBit 3.0 builder that would prompt file encryption with the ".buthi" extension, while a Babuk source code-based payload has been leveraged in intrusions against Linux systems, according to a report from Symantec's Threat Hunter team. Despite reusing leaked ransomware source code, Blacktail's Buhti operation has been leveraging its own Go-based exfiltration tool and network infiltration technique on top of exploiting the PaperCut NG and MF remote code execution vulnerability, tracked as CVE-2023-27350, and the IBM Aspera Faspex flaw, tracked as CVE-2022-47986, said researchers. Organizations in the U.S., China, Belgium, India, Estonia, Switzerland, Spain, Germany, Ethiopia, and the U.K. have already been impacted by Buhti ransomware attacks, indicating the significant threat of the Blacktail operation, noted Kaspersky researcher Marc Rivero.