Blacktail, a new ransomware group using recycled ransomware.

A new ransomware operation calling itself Buhti has been discovered by researchers at Symantec. The tool uses variants of Lockbit and Babuk ransomware, as well as a custom infostealer which is able to search for and archive specified file types. “Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.” wrote Symantec. The researchers were unable to attribute this new campaign to any known threat actors and thus have dubbed the associated group “Blacktail.” 

Recycled ransomware and a custom infostealer.

Blacktail (Buhti) has been observed using a slightly modified version of the LockBit ransomware, however they seem to have disabled the C2 element as no Command and control server is specified. The group has also been noted to have used a leaked version of the Baduk ransomware which contains the same ransom note as the one used in its LockBit variation. The researchers at Symantec explain that Blacktail is using a custom exfiltration tool. “The tool can be configured via command-line arguments to specify both the directory to search for files of interest in and the name of the output archive.” wrote researchers.  

Blacktail shows signs of being a sophisticated dangerous actor. 

The recent Blacktail attacks have been discovered to use the recent PaperCut NG and MF vulnerabilities. Though the vulnerability has been patched, Symantec considers this to be an indication of the ransomware group’s sophistication. “While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated.”