Buhti, a ‘ransomware’ that uses the double extortion technique and operates in Spain

June 23 (Portaltic/EP) –

researchers Cybersecurity have warned of a new ‘ransomware’ for Linux and Windows that uses a technique known as double extortion, that is, it asks for data from the victims to demand a ransom later and exposes the data if they refuse to pay it, and that operates in Spain.

The unit 42belonging to the cybersecurity company Palo Alto Networks, discovered this ‘malware’, identified as Buhtiin February 2023. He then pointed out that it was a ‘ransomware’ based on Go -also known as Golang- for Linux.

More recently, researchers from Symantec Threat Hunter have determined that Buhti, which is managed by the Blacktail threat group, also targets Windows-based devices. This is possible because they use a variant LockBit 3.0 slightly modified codenamed lockBit Black

From Symantec they point out that, although these cybercriminals do not develop their own ‘ransomware’, “it uses what appears to be a custom-developed tool”, that is, “an information thief designed to search for and store specific types of files.

More specifically, this threat uses leaked code from the LockBit and Babuk ransomware families to exploit both operating systems, for which it uses a technique called ‘double extortion’ to blackmail the victims.

This means that cybercriminals first steal victims’ data and demand a ransom payment. If the amount that you offer is not is what malicious agents need or it is not delivered on time, part of the stolen data is published.

However, from Kaspersky they point out that in certain cases cybercriminals also filter the information of their victims, regardless of whether they have received the requested amount or have been paid in the estimated time.

This cybersecurity company has recalled that, when the attack is successful, the computer screen background changes to turn black, on which you can read the ransom petition. This is when all encrypted files have the extension ‘.buthi’.

This ‘ransomware’, which targets organizations around the world, has been observed both in European countries – Spain, the Czech Republic, China, the United Kingdom, France and Belgium – as well as in Africa (Ethiopia) and the United States.

Although it is true that although cybercriminals do not have the ability to create their own malicious code, Kaspersky recalls that “they have access to a custom-developed tool: an information stealer designed to find and store files specific. Both the Windows and Linux versions share a different code base,” according to the firm’s Senior Security Researcher, Marc Rivero.

This custom thief is responsible for collecting files with different extensions. Among them .pdf, .php, .wmv, .xml, .zip, .docx, .aiff, .epub, .json, .wma, among others.

COMPANIES, ITS MAIN OBJECTIVE

Companies and organizations are the main victims of this ‘ransomware’, so Kaspersky recommends doing Backups of your data to avoid these cases of extortion in the event of a cyber attack.

It is also convenient to update regularly the operating system of the device and applicationsas well as using secure passwords to access corporate services and the two-factor authentication system when accessing remote services.

It is worth informing employees about how cyberattacks occur as a prevention task, as well as use security solutions that detect this type of malicious intervention.