buhti

[Content by Gemini 2.5]

Technical Breakdown (buhti)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The .buhti extension is appended to every successfully-encrypted file.

  • Renaming Convention:
    Original: Quarterly_Report.xlsx
    After encryption: Quarterly_Report.xlsx.buhti (no email addresses, no ransom note in the name, no embedded ID).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: buhti was first observed in-the-wild on 14 February 2023. It experienced two distinct spikes – late-March and late-May 2023 – associated with broader LockBit-compromised network sales on underground forums.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exposed RDP or VPN portals:** Brute-force / credential-stuffing to gain an initial foothold.
  2. Malicious email attachments: Zip archives containing ISO/IMG files that masquerade as “urgent invoices.”
  3. Weaponized OneNote files: A newer twist observed in April 2023; links inside OneNote files download a secondary PowerShell loader that calls back for buhti.
  4. Living-off-the-land lateral movement: Once inside, the operators abuse PSExec, WMIC, and PowerShell remoting to copy buhti to additional hosts.
  5. No mass-exploitation of a single CVE; however, patched web-facing services (VPNs, AD FS, and IIS) were a common pre-condition.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  1. Disable RDP from the public Internet or enforce VPN-only access with MFA.
  2. Implement application allow-listing (Microsoft Defender ASR / AppLocker), blocking rundll32.exe, regsvr32.exe, PowerShell.exe from executing high-entropy files.
  3. Push EDR/NGAV detections for the mutex Global\BuhtiLock-123 and for the persistence key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BuhtiSvc.
  4. Mandatory User Account Control (UAC) in “Always notify” mode to reduce lateral movement success.
  5. Segment networks and apply zero-trust ring-fencing. Isolate critical servers from workstations.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Isolate the host – disable Wi-Fi/Ethernet, remove from domain or isolate VLAN.
  2. Boot into Windows Safe Mode with Networking to prevent buhti’s boot-time driver (Buhti.sys) from loading.
  3. Kill the active process: BuhtiExec.exe (spawned as svchost.exe via -k netsvcs -p -s Schedule).
  4. Delete the loader location: %TEMP%\[6-8 random digits]\buhti.ps1 and the binary dropped at %WINDIR%\BuhtiSvc.exe.
  5. Use a reputable removal engine (e.g., Malwarebytes 4.5.12 or Windows Defender Offline), ensuring engine version ≥ 1.387.
  6. Remove persistence registry keys and the service BuhtiSvc via:

    sc stop BuhtiSvc & sc delete BuhtiSvc
    reg delete "HKLM\...\Run\BuhtiSvc" /f
  7. Fully patch and reboot normally.

3. File Decryption & Recovery

  • Recovery Feasibility: As of June 2023, no free, public decryptor exists; buhti uses Curve25519 + ChaCha20 for asymmetric encryption with per-machine ECDH keys sent to the attackers’ C2. Offline backups, shadow-copy rollback, or ransom negotiation are the only realistic recoveries.
  • Essential Tools / Patches:
    – Kape’s Trinity vault collection (for forensic triage only, no decryption).
    Microsoft KB5019970 (contains RDP fixes and new Defender signatures released 10/2023).
    Veeam Backup & Replication 12 or Acronis Cyber Protect 15.4 – historically unaffected by buhti’s anti-backup processes when isCryptoGuard enabled.

4. Other Critical Information

  • Unique Characteristics:
    – buhti’s operators re-use leaked LockBit 3.0 builders but append a custom extension and have hard-coded “BuhtiLock-123” mutex.
    Exfiltration stage: Uses MEGA SDK (MEGAsync.exe) to stage files in@mega.nz prior to encryption. Victims are threatened to have data sold on underground forums if ransom not paid within 72 hours.
    Exploiting legitimate penetration-testing tools: The dropper frequently bundles Cobalt Strike beacons disguised as system.exe.
    – Note that while buhti resembles LockBit, its PE is unsigned and NetBIOS names include the string “BuhtiRan”, making YARA hunting possible:

    rule buhti_unique {
    strings:
    $a = "BuhtiRan"
    $b = "BuhtiLock-123"
    condition: uint16(0) == 0x5A4D and ($a or $b)
    }
  • Broader Impact:
    – Between Feb-Jun 2023 more than 120 organisations (U.S. state/local government, UK higher-education, and APAC manufacturing) publicly cited outages related to .buhti.
    – Total published ransom demands exceed $14 million.
    – MEGA.nz takedowns have led to the release (and validation) of at least 4 GB of exfiltrated data when ransoms are refused.

Emergency triage, forensic images, and (optional) negotiation notes should all be stored on a write-blocked drive before any remediation begins.