Buhti Ransomware Aims for Victims Running Both Windows and Linux

Buhti is a type of ransomware that targets both Windows and Linux systems. While the Buhti ransomware payload primarily focuses on Windows computers and is a variant of the previously leaked LockBit 3.0 ransomware with some minor adjustments, it also has a modified version specifically designed to attack Linux systems, leveraging the leaked Babuk ransomware.

When Buhti infects a system, it encrypts files and replaces their original filenames with a string of random characters. Additionally, the victim's ID is appended as the new extension for each encrypted file. For example, a file originally named "1.jpg" would be transformed into "4G8of7O.fxkJts2wg", while "2.png" would become "HePwiFM.fxkJts2wg," and so on. Alongside this encryption process, Buhti also drops a ransom note named "[victim's_ID].README.txt".

The ransom note provides an explanation that the victim's files have been encrypted using robust encryption algorithms, rendering it virtually impossible for them to decrypt the data independently. However, the note claims that there is a solution available for the victims to recover their files—by purchasing a special program known as a decryptor. The ransomers reassure the victims that this decryption software has undergone thorough testing and will successfully restore their data.

To regain access to their encrypted files, the note instructs the victims to use a web browser and visit a specific website. They are then prompted to enter a valid email address, which will be used to receive a download link for the decryptor after the payment is made. The ransom payment is requested in Bitcoin and the victims are provided with a specific Bitcoin address for the transaction.

Once the payment is completed, the victims will receive an email containing a link to a download page. This page includes detailed instructions on how to use the decryptor to restore their files. The ransom note emphasizes the potential risks of modifying or attempting to recover the files independently, claiming that such actions will not lead to a successful restoration of the encrypted data.

Buhti Ransom Note Asks for Bitcoin Payment

The full text of the Buhti ransom note reads as follows:

Welcome to buhtiRansom

What happend?

Your files are encrypted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your files.
Follow our instructions below and you will recover all your data.

What guarantees?

We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data.

How to get access?

Using a browser:
1) Open website: hxxps://satoshidisk.com/pay/CIGsph
2) Enter valid email to receive download link after payment.
3) Pay amount to Bitcoin address.
4) Receive email link to the download page.
5) Decrypt instruction included.

!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. It WILL NOT be able to RESTORE.
!!! DANGER !!!

How is Ransomware Like Buhti Distributed Online?

Ransomware like Buhti is typically distributed online through various methods, exploiting vulnerabilities and employing social engineering tactics. Here are some common distribution channels and techniques used by ransomware like Buhti:

• Phishing Emails: One prevalent method is through phishing emails. Attackers send deceptive emails that appear legitimate, often impersonating trusted organizations or individuals. These emails may contain infected attachments, such as malicious executable files or documents embedded with macro malware. Opening these attachments triggers the ransomware installation process.
• Malicious Websites and Drive-by Downloads: Cybercriminals may create malicious websites or compromise legitimate websites to distribute ransomware. Unsuspecting users can unknowingly download the ransomware by visiting these sites or clicking on compromised links. Drive-by downloads occur when malware is automatically downloaded without the user's consent or knowledge.
• Exploit Kits: Ransomware can be delivered using exploit kits, which are toolkits that take advantage of vulnerabilities in software or web browsers. When a user visits a compromised website or clicks on a malicious advertisement, the exploit kit scans for vulnerabilities and delivers the ransomware payload.
• Remote Desktop Protocol (RDP) Attacks: Attackers target systems with exposed or weakly secured Remote Desktop Protocol connections. They employ brute-force attacks to gain unauthorized access to the system and install ransomware.
• Malicious Advertisements (Malvertising): Malicious advertisements, or malvertisements, can be found on legitimate websites and ad networks. These ads contain hidden scripts that redirect users to websites hosting ransomware or trigger automatic downloads.
• File-sharing Networks and Pirated Software: Illegitimate or cracked software downloaded from file-sharing networks often comes bundled with ransomware or other malware. Users seeking to obtain software or media without paying are at risk of inadvertently installing ransomware.
• Exploiting Software Vulnerabilities: Ransomware authors exploit vulnerabilities in operating systems, applications, or network services. By targeting unpatched or outdated software, they can gain unauthorized access and deploy the ransomware payload.

It's crucial to maintain up-to-date security software, regularly apply software patches and updates, exercise caution when opening email attachments or clicking on suspicious links, and use strong, unique passwords to minimize the risk of falling victim to ransomware attacks.