Security News > 2023 > May > New Buhti ransomware gang uses leaked Windows, Linux encryptors
A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.
Blacktail uses the Windows LockBit 3.0 builder that a disgruntled developer leaked on Twitter in September 2022.
For Linux attacks, Blacktail uses a payload based on the Babuk source code that a threat actor posted on a Russian-speaking hacking forum in September 2021.
Earlier this month, SentinelLabs and Cisco Talos highlighted cases of new ransomware operations using Babuk to attack Linux systems.
While malware reuse is generally considered a sign of less sophisticated actors, in this case, multiple ransomware groups gravitate towards Babuk due to its proven capability to compromise VMware ESXi and Linux systems, which are very profitable for cybercriminals.
The leaked LockBit and Babuk source code can be used by existing ransomware gangs who want to rebrand under a different name, leaving no connection to previous encryptors.
News URL
Related news
- Windows zero-day vulnerability exploited in ransomware attacks (source)
- April Patch Tuesday: Ransomware gangs already exploiting this Windows bug (source)
- RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts (source)
- Linux version of RTM Locker ransomware targets VMware ESXi servers (source)
- New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems (source)
- VirusTotal AI code analysis expands Windows, Linux script support (source)
- Malicious Windows kernel drivers used in BlackCat ransomware attacks (source)
- Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code (source)
- New Buhti ransomware uses leaked payloads and public exploits (source)