Symantec shared an analysis report discussing a new ransomware operation called Buhti that appears to be leveraging leaked code of popular ransomware families, most notably LockBit and the defunct, Babuk. The threat actor (Blacktail) behind the campaign doesn’t appear to be linked to any other groups. Additionally, Buhti appears to have developed a custom tool for searching and exfiltrating data and archiving specified file types. Buhti is designed to target both Windows and Linux systems.

While code reuse typically indicates a less capable adversary, Symantec cautions that Blacktail should not be underestimated, in part due to their capability to quickly exploit newly disclosed vulnerabilities. Members are encouraged to review the post for awareness of the tactics and indicators of compromise of Bhuti activity and address accordingly. Read more at Symantec.