Buhti

Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included variants of not only the leaked LockBit builder but also leaked code from the Babuk ransomware family. The operators behind Buhti, named "Blacktail" by Symantec, demonstrated a high level of competence in carrying out attacks and an ability to exploit newly discovered vulnerabilities. In 2022, the ransomware builder for LockBit 3.0 was leaked online, and two ransomware groups, Bl00dy and Buhti, quickly launched their own campaigns using this builder. The threat actors behind Buhti eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. This reuse of leaked payloads is often seen as a hallmark of less-skilled ransomware operations, but Blacktail's general competence suggests otherwise. The IBM Aspera Faspex code execution vulnerability (CVE-2022-47986) was exploited by the operators of the "IceFire" and "Buhti" ransomware to deploy malware specifically on the Linux systems of media and entertainment companies, mainly in Turkey, Iran, Pakistan, and the UAE. This bug, patched in December 2022, has been co-opted by cybercriminals in ransomware campaigns associated with Buhti and IceFire since February, shortly after the release of the proof-of-concept (PoC) exploit. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.