Threat researchers have discovered another new ransomware actor. This time, he used Babuk’s source code in attacks against organizations in the United States and South Korea.
According to Cisco Talos, RA Group emerged in April of this year, with a dedicated leak site popping up at the end of the month listing exfiltrated data, victim URLs, and other information. The group also sells leaked data hosted on Tor sites.
Learn more about Babuk: Threat actors use Babuk code to build hypervisor ransomware.
Cisco warned that the group is rapidly stepping up its activities, with three Americans and one South Korean victim working in the manufacturing, asset management, insurance and pharmaceutical industries.
As is common with such groups, the ransom note is embedded in the code and personalized for each victim’s organization. However, it is unusual for RA Group to include the victim’s name in the executable file, the report notes.
The debug path and the fact that the ransomware contains the same mutex as Babuk confirms our assessment that this group is using the Babuk source code leaked in September 2021.
Cisco says the executable itself uses curve25519 and the eSTREAM encryption hc-128 algorithm, but only partially encrypts the file to speed up the process. Once completed, the “.Gagup” extension will be applied and all recycle bins and volume shadow copies of the data will be deleted.
However, RA Group does not encrypt all files and folders, but rather allows the victim organization to “download the qTox application and contact the RA Group operator using the qTox ID provided in the ransom note.” and some are left untouched.
After analyzing previous ransom notes, Cisco claimed that victims were given three days to contact the extortionists, after which the RA group would begin exfiltrating files.
“Victims can confirm that their information has been exposed by downloading a file using gofile.[.]io link in ransom note”.
So far, we have no information on how this group gains initial access or performs post-breach activities.
