{ "id": "3c2dfd8b-a8e8-433e-81f0-83f63c92e1ea", "created_at": "2026-04-06T00:18:58.644334Z", "updated_at": "2026-04-10T03:25:27.236962Z", "deleted_at": null, "sha1_hash": "54ba9801d8be769e078a5c3fc538bfa22a412b44", "title": "Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code - RedPacket Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66484, "plain_text": "Buhti Ransomware Gang Switches Tactics, Utilizes Leaked\r\nLockBit and Babuk Code - RedPacket Security\r\nBy April 1, 2026\r\nPublished: 2023-05-25 · Archived: 2026-04-05 15:15:07 UTC\r\nThe threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked\r\nLockBit and Babuk ransomware families to strike Windows and Linux systems.\r\n“While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed\r\ntool, an information stealer designed to search for and archive specified file types,” Symantec said in a report\r\nshared with The Hacker News.\r\nThe cybersecurity firm is tracking the cybercrime group under the name Blacktail. Buhti was first highlighted by\r\nPalo Alto Networks Unit 42 in February 2023, describing it as a Golang ransomware targeting the Linux platform.\r\nLater that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho\r\nManageEngine products that were vulnerable to critical remote code execution flaws (CVE-2022-47966).\r\nThe operators have since been observed swiftly exploiting other severe bugs impacting IBM’s Aspera Faspex file\r\nexchange application (CVE-2022-47986) and PaperCut (CVE-2023-27350) to drop the ransomware.\r\nThe latest findings from Symantec show that Blacktail’s modus operandi might be changing, what with the actor\r\nleveraging modified versions of the leaked LockBit 3.0 and Babuk ransomware source code to target Windows\r\nand Linux, respectively.\r\nhttps://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/\r\nPage 1 of 3\n\nBoth Babuk and LockBit have had its ransomware source code published online in September 2021 and\r\nSeptember 2022, spawning multiple imitators.\r\nOne notable cybercrime group that’s already using the LockBit ransomware builder is the Bl00dy Ransomware\r\nGang, which was recently spotlighted by U.S. government agencies as exploiting vulnerable PaperCut servers in\r\nattacks against the education sector in the country.\r\nDespite the rebranding changes, Blacktail has been observed utilizing a custom data exfiltration utility written in\r\nGo that’s designed to steal files with specific extensions in the form of a ZIP archive prior to encryption.\r\n“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s\r\ngeneral competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered\r\nvulnerabilities, suggests that it is not to be underestimated,” Symantec said.\r\nRansomware continues to pose a persistent threat for enterprises. Fortinet FortiGuard Labs, earlier this month,\r\ndetailed a Go-based ransomware family called Maori that’s specifically designed to run on Linux systems.\r\nDiscover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust\r\nstrategy. Join our insightful webinar!\r\nSave My Seat!\r\nWhile the use of Go and Rust signals an interest on part of threat actors to develop “adaptive” cross-platform\r\nransomware and maximize the attack surface, it’s also a sign of an ever-evolving cybercrime ecosystem where\r\nnew techniques are adopted on a continual basis.\r\n“Major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other\r\ncybercriminals, which may improve the functionality of their own malware,” Kaspersky noted in its ransomware\r\ntrends report for 2023.\r\nIndeed, according to Cyble, a new ransomware family dubbed Obsidian ORB takes a leaf out of Chaos, which has\r\nalso been the foundation for other ransomware strains like BlackSnake and Onyx.\r\nWhat makes the ransomware stand out is that it employs a rather distinctive ransom payment method, demanding\r\nthat victims pay the ransom through gift cards as opposed to cryptocurrency payments.\r\n“This approach is effective and convenient for threat actors (TAs) as they can modify and customize the code to\r\ntheir preferences,” the cybersecurity firm said.\r\nA considerable amount of time and effort goes into maintaining this website, creating backend automation and\r\ncreating new features and content for you to make actionable intelligence decisions. Everyone that supports the\r\nsite helps enable new functionality.\r\nIf you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below\r\n To keep up to date follow us on the below channels.\r\nhttps://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/\r\nPage 2 of 3\n\nSource: https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/\r\nhttps://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/" ], "report_names": [ "buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code" ], "threat_actors": [ { "id": "a9670e60-de2b-4c77-97ea-28e73f92902a", "created_at": "2023-11-30T02:00:07.264397Z", "updated_at": "2026-04-10T02:00:03.480707Z", "deleted_at": null, "main_name": "Blacktail", "aliases": [], "source_name": "MISPGALAXY:Blacktail", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775791527, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54ba9801d8be769e078a5c3fc538bfa22a412b44.pdf", "text": "https://archive.orkl.eu/54ba9801d8be769e078a5c3fc538bfa22a412b44.txt", "img": "https://archive.orkl.eu/54ba9801d8be769e078a5c3fc538bfa22a412b44.jpg" } }