Security News > 2023 > May > New Buhti ransomware gang uses leaked Windows, Linux encryptors
A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.
Blacktail uses the Windows LockBit 3.0 builder that a disgruntled developer leaked on Twitter in September 2022.
For Linux attacks, Blacktail uses a payload based on the Babuk source code that a threat actor posted on a Russian-speaking hacking forum in September 2021.
Earlier this month, SentinelLabs and Cisco Talos highlighted cases of new ransomware operations using Babuk to attack Linux systems.
While malware reuse is generally considered a sign of less sophisticated actors, in this case, multiple ransomware groups gravitate towards Babuk due to its proven capability to compromise VMware ESXi and Linux systems, which are very profitable for cybercriminals.
The leaked LockBit and Babuk source code can be used by existing ransomware gangs who want to rebrand under a different name, leaving no connection to previous encryptors.
News URL
Related news
- Switzerland: Play ransomware leaked 65,000 government documents (source)
- Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver (source)
- NHS Scotland confirms ransomware attackers leaked patients’ data (source)
- Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware (source)
- Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers (source)