Buhti Ransomware

Buhti is a ransomware threat that targets both Windows and Linux systems. When attacking Windows computers, the Buhti Ransomware payload is based on a variant of the previously leaked LockBit 3.0 Ransomware, with minor modifications. Still, when it is used to infect Linux systems, the Buhti Ransomware employs a modified version of the leaked Babuk Ransomware.

The way Buhti operates is by encrypting files and replacing their original filenames with a string of random characters. Additionally, the ransomware appends the victim's ID as the new extension for each encrypted file. To communicate with the victims, Buhti leaves behind a ransom note named in the form of a text file named '[victim's_ID].README.txt.'

The Buhti Ransomware Locks a Wide Range of File Types

The ransom note provides a detailed explanation to the victims regarding the encryption of their files using robust encryption algorithms, rendering it virtually impossible for them to decrypt the data independently. However, the note states that victims can restore their data by paying a ransom to the attackers as a way to purchase a specialized program known as a 'decryptor.' The threat actors assure their victims that this decryption software has undergone thorough testing and will effectively restore their data upon successful implementation.

To establish contact with the cybercriminals, the note instructs the victims to utilize a Web browser and navigate to a specific website. Once there, they are prompted to enter a valid email address to get a download link after completing the payment process. The payment, as stipulated in the note, must be made using Bitcoin and directed to a provided Bitcoin address.

Upon completion of the payment, victims will receive an email including a link to the download page. This page includes comprehensive instructions on how to proceed with the decryption process. The ransom note strongly emphasizes the potential risks associated with attempting to modify or recover the files independently, as it claims such actions will not result in a successful restoration.

In addition to encrypting files, Buhti possesses the capability to receive command line instructions that specify particular target directories within the file system. Moreover, it employs an exfiltration tool that primarily focuses on stealing certain file types, including aiff, aspx, docx, epub, json, mpeg, pdf, php, png, ppt, pptx, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xlsx, xml, yaml and yml.

Users and Organizations Need to Protect Their Data from Ransomware Infections

To safeguard their data and devices from ransomware infections, users and organizations alike can adopt various proactive measures. First and foremost, maintaining a robust backup strategy is crucial. Regularly backing up necessary files and storing them offline or in a secure cloud storage service ensures that even if the original files are encrypted by ransomware, the user can restore them from a clean backup.

Another fundamental step is to keep all software and operating systems up to date. Applying timely security patches and updates helps protect against known vulnerabilities that ransomware may exploit. This encompass not only the operating system but also applications, plugins, and antivirus software.

Using professional anti-malware software adds an additional layer of defense. These security solutions can detect and block known ransomware strains and unsafe activities, offering real-time protection against potential threats.

Implementing strong and unique passwords for all accounts and enabling multi-factor authentication (MFA) where possible helps mitigate the risk of unauthorized access to devices and sensitive information. Regularly changing passwords and avoiding the reuse of passwords across multiple accounts are vital practices to follow.

Educating oneself about phishing techniques and social engineering tactics empowers users to recognize and avoid potential ransomware delivery methods. Being cautious about unexpected or unsolicited requests for personal information, financial details, or login credentials can help prevent falling victim to phishing attempts.

Lastly, maintaining a proactive and vigilant approach to cybersecurity is essential. Staying informed about the latest ransomware threats, security best practices, and emerging trends can help users adapt their defenses accordingly and respond effectively to potential risks.

Overall, protecting data and devices from ransomware infections requires a combination of preventive measures, awareness, and ongoing diligence to stay one step ahead of evolving threats.

The ransom note left by Buhti Ransomware to its victims is:

'----------- [ Welcome to buhtiRansom ] ------------->

What happend?

Your files are encrypted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your files.
Follow our instructions below and you will recover all your data.

What guarantees?

We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data.

How to get access?

Using a browser:
Open website: hxxps://satoshidisk.com/pay/CIGsph
Enter valid email to receive download link after payment.
Pay amount to Bitcoin address.
Receive email link to the download page.
Decrypt instruction included.

!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. It WILL NOT be able to RESTORE.
!!! DANGER !!!'