Buhti Ransomware Operation Repurposes Leaked Encryptors

Threat Level

Attack Report

For a detailed threat advisory, download the pdf file here

Summary

Buhti ransomware, linked to Blacktail threat actors, employs leaked code of LockBit and Babuk variants. By exploiting vulnerabilities like PaperCut NG, they exfiltrate data and distribute ransomware. The addition of a custom Golang exfiltration tool heightens the evolving threat.

To receive real-time threat advisories, please follow HiveForce Labs on LinkedIn.