Security News > 2023 > May > New Buhti ransomware gang uses leaked Windows, Linux encryptors

New Buhti ransomware gang uses leaked Windows, Linux encryptors
2023-05-25 10:00

A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.

Blacktail uses the Windows LockBit 3.0 builder that a disgruntled developer leaked on Twitter in September 2022.

For Linux attacks, Blacktail uses a payload based on the Babuk source code that a threat actor posted on a Russian-speaking hacking forum in September 2021.

Earlier this month, SentinelLabs and Cisco Talos highlighted cases of new ransomware operations using Babuk to attack Linux systems.

While malware reuse is generally considered a sign of less sophisticated actors, in this case, multiple ransomware groups gravitate towards Babuk due to its proven capability to compromise VMware ESXi and Linux systems, which are very profitable for cybercriminals.

The leaked LockBit and Babuk source code can be used by existing ransomware gangs who want to rebrand under a different name, leaving no connection to previous encryptors.

News URL

Related vendor

Linux 18 566 1441 987 699 3693