A new ransomware group named ‘RA Group’ is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.
The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims’ details and stolen data, engaging in the typical ‘double-extortion’ tactic used by most ransomware gangs.
While the extortion portal was launched on April 22nd, 2023, the first batch of victimized organizations was published on April 27th, including sample files, a description of the type of content that was stolen, and links to stolen data.
In a new report by Cisco Talos, researchers explain that RA Group uses an encryptor based on the leaked source code for the Babuk ransomware, a ransomware operation that shut down in 2021.
Last week, Sentinel Labs reported that at least nine distinct ransomware operations are using the Babuk source code that was leaked on a Russian-speaking hacker forum in September 2021, as it gives threat actors an easy way to expand their broaden their scope to cover Linux and VMware ESXi.
In addition to the ransomware groups cited in the Sentinel Labs report as users of Babuk, Cisco Talos also mentions Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, and ESXiArgs.
RA Group attack details
A notable characteristic of RA Group is that each attack features a custom ransom note written specifically for the targeted organization, while the executable is also named after the victim.
The ransomware targets all logical drives on the victim’s machine and network shares and attempts to encrypt specific folders, excluding those related to the Windows system, boot, Program Files, etc.
This is to avoid rendering the victim’s system unusable, making it unlikely to receive a ransom payment.
RA Group’s encryptor uses intermittent encryption, which is to alternative between encrypting and not encrypting sections of a file to speed up the encryption of a file. However, this approach can be risky as it allows some data to be partially recovered from files.
When encrypting data, the encryptor will use curve25519 and eSTREAM cipher hc-128 algorithms.
Encrypted files are appended the filename extension “.GAGUP” while all volume shadow copies and Recycle Bin contents are wiped to prevent easy data restoration.
The ransom note dropped on the victim’s system is named ‘How To Restore Your Files.txt‘ and requires the victim to use qTox messenger to contact the threat actors and negotiate a ransom.
The note also includes a link to a repository containing files stolen from the victim as proof of the data breach.
The threat actors claim to give victims three days before a sample of stolen data is published on extortion sites, but like other ransomware operations, this is likely open to negotiation.
As this is a relatively new ransomware operation, with only a few victims, it is unclear how they breach systems and spread laterally on a network.