2023-06-23 11:53:33
This new threat uses leaked code from the LockBit and Babuk ransomware families to exploit both operating systems. Cybercriminals have not developed their own strain of ransomware, but have created a custom data exfiltration utility to blackmail victims, a tactic referred to as ‘double extortion’.
Blacktail, the recently discovered ransomware gang, has attacked Windows and Linux systems all over the world, including Spain, with the ransomware Buhti. The threat was first detected in February 2023 by the Palo Alto Networks Unit 42 team, who identified it as Go-based ransomware for Linux, as reported by BleepingComputer.
This threat uses leaked code from the LockBit and Babuk ransomware families to exploit both operating systems and uses a technique called ‘double extortion’ to blackmail victims. This technique consists of steal the victim’s data and demand a ransom for it. If the amount is not paid or not paid on time -and even if the payment is made on time and in due form- the cybercriminals publish part of the stolen data and later claim a larger amount.
When the attack is successful, the computer’s wallpaper changes, and the victim is asked to open the ransom request. All encrypted files have the extension ‘.buthi’.
Buhti addresses organizations around the world. Specifically, Kaspersky experts have observed attacks in Spainthe Czech Republic, China, the United Kingdom, Ethiopia, the United States, France and Belgium.
«According to Kaspersky’s observations, Buhti has been actively attacking Windows and Linux systems, some of them in Spain, since the beginning of February 2023. Unlike others cyber-attacks that rely on developing their own payloads, this group exclusively uses variants of the LockBit and Babuk ransomware families leaked online,” Explain Marc Rivero, Senior Security Researcher de Kaspersky. “Though they lack the ability to create their own malicious code, the cybercriminals behind Buhti do have access to a custom-built tool: an information stealer designed to find and store specific files. Both the Windows and Linux versions share a different codebase.” concludes.
Although code reuse groups are not considered experts, Blacktail uses its own completely customized filtering tool and a different network infiltration strategy.
To keep companies and businesses protected from ransomware, experts recommend:
Make backups regularly and store the information on devices not connected to the corporate network. This will keep you safe if a cyber attack occurs.
Update regularly the operating system and applications.
Use strong passwords to access corporate services and activate two-factor authentication when accessing remote services.
Talk to employees about how cyberattacks happen: Emails, websites, or files downloaded from third-party sources are important attack vectors. It is important to train the staff and carry out controlled tests to identify threats.
Using cybersecurity services and solutions to identify and stop attacks at an early stage, before cyber attackers achieve their objectives.
More information
#Buhti #ransomware #attacks #Windows #Linux #systems #Spain