# Mass Attack buhtiRansom

**blog.threatzero.io/buhtiransom-934b4ed3c3fd**

Raphael Mendonça February 16, 2023

Restore-My-Files.txt
An unknown threat actor launched this week a wave of ransomware attacks against
vulnerable servers with CVE-2022–47986.

The vulnerability that affects IBM Aspera Faspex applications in versions prior to 4.4.2, is
present in approximately 300 hosts indexed in the Shodan platform.

Aspera Faspex is an application designed for file transfer and therefore it is common for
affected servers to have large volumes of connected storage.

We identified different encrypted servers, with the files renamed to the .buhti extension and
with the ransom note created on the same date, where the threat actor provides a link to the
SatoshiDisk platform as a payment method.

Considering the simple characteristics of the attacks, its expected to be just another threat
actor taking advantage of the opportunity.

We will continue to follow!

More information:

https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/
https://github.com/ohnonoyesyes/CVE-2022-47986/


-----

https://www.ibm.com/docs/en/aspera-faspex/4.4?topic=notes-release-aspera-faspex442


-----