Symantec has identified a new ransomware operation called Buhti, also known as Blacktail, that targets both Linux and Windows systems. The operation has been rapidly expanding since mid-April, using LockBit and Babuk variants to exploit vulnerabilities for initial access and steal victim files. Buhti operators utilize a modified version of LockBit 3.0 for Windows machines and Golang-based Babuk variants for Linux systems. They also employ a custom information stealer and exploit recent vulnerabilities, such as CVE-2023-27350 and CVE-2022-47986, to execute remote code and carry out data theft. Buhti has been observed targeting organizations globally.