A new ransomware group, called Buhti, has been discovered by Symantec researchers. The group is using variants of LockBit and Babuk ransomware, as well as a custom infostealer. Buhti first came to public attention in February 2023, when it was reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.
The researchers were unable to attribute this new campaign to any known threat actors, which is why they’ve dubbed the associated group “Blacktail”. According to Symantec, Blacktail shows signs of being a sophisticated and dangerous actor. The recent Blacktail attacks have been discovered to use the recent PaperCut NG and MF vulnerabilities, despite the fact that the vulnerability has been patched. This is considered an indication of the ransomware group’s sophistication.
Blacktail has been observed using a slightly modified version of the LockBit ransomware, although it seems to have disabled the C2 element as no Command and Control server is specified. The group has also been noted to have used a leaked version of the Baduk ransomware, which contains the same ransom note as the one used in its LockBit variation.
The researchers at Symantec explain that Blacktail is using a custom exfiltration tool. The tool can be configured via a command-line interface to specify both the directory to search for files of interest in and the name of the output archive.
Although the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated, according to Symantec.
Ransomware attacks have become an increasingly prevalent form of cybercrime in recent years. These attacks are often successful because they exploit vulnerabilities in computer systems that have not been patched or updated with the latest security updates. Ransomware attacks involve the encryption of files on a victim’s computer, followed by a demand for payment in exchange for the decryption key necessary to unlock the files.
To avoid falling victim to ransomware attacks, it is essential to maintain up-to-date security protocols and install all security updates as soon as they become available. Additionally, it is important to back up all critical data on a regular basis and keep those backups offline and away from the network that is being backed up.
Symantec encourages all organizations to take ransomware seriously, and to have a plan in place to mitigate any potential attacks. This plan should include regular security audits, a solid backup strategy, and ongoing education and training for employees who may be targeted by phishing attacks or other social engineering tactics used by cybercriminals.