Security News > 2023 > May > New Buhti ransomware gang uses leaked Windows, Linux encryptors
A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.
Blacktail uses the Windows LockBit 3.0 builder that a disgruntled developer leaked on Twitter in September 2022.
For Linux attacks, Blacktail uses a payload based on the Babuk source code that a threat actor posted on a Russian-speaking hacking forum in September 2021.
Earlier this month, SentinelLabs and Cisco Talos highlighted cases of new ransomware operations using Babuk to attack Linux systems.
While malware reuse is generally considered a sign of less sophisticated actors, in this case, multiple ransomware groups gravitate towards Babuk due to its proven capability to compromise VMware ESXi and Linux systems, which are very profitable for cybercriminals.
The leaked LockBit and Babuk source code can be used by existing ransomware gangs who want to rebrand under a different name, leaving no connection to previous encryptors.
News URL
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Use Windows event logs for ransomware investigations, JPCERT/CC advises (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)