A new ransomware gang has emerged that has been conducting attacks on critical infrastructure organizations in the United States and South Korea. RA Group has been operating since late April 2023 and uses a new ransomware based on Babuk ransomware source code that was leaked on a Russian hacking forum in 2021.
The attacks conducted by the group used an executable file that was named after the victim, and each of the attacks involved a custom ransom note specific to the victim. RA Group engages in double extortion tactics, where files are exfiltrated before encryption and a ransom payment is required to decrypt files and prevent the release of the stolen data. The group created its dark web data leak site in April, and on April 27, the first of the victims were added to the site. At least four organizations have been attacked so far based on the data leak site, although others may have been attacked and paid the ransom. The data leak site lists one victim in South Korea and three in the United States. The attacks so far have been on pharma, insurance, wealth management, and manufacturing firms. Samples of stolen data have been uploaded to the site.
The group targets all logical drives on the victim’s device along with network shares, and encrypts a range of files and folders, although leaves Windows files unencrypted to ensure the victim’s device remains usable. Volume shadow copies and the recycle bin are deleted to hamper any attempts to recover files without paying the ransom. To speed up the encryption process, the ransomware uses intermittent encryption, rather than encrypting entire files, with the encryption using the curve25519 and eSTREAM cipher hc-128 algorithms. Encrypted files have the .GAGUP extension.
The ransom notes include a link to some of the files stolen prior to encryption as proof of data theft and victims are told they must make contact with the group using qTox messenger to negotiate payment. Victims are given three days before files start being leaked on the data leak site. The new ransomware actor was discovered by researchers at Cisco Talos, who report that the attacks started on April 22, 2023. RA Group is not the only threat actor to use the leaked Babuk code. ESXiArgs emerged in February 2023 and uses ransomware based on the leaked code, which has also been used in the AstraLocker 2.0, Nokoyawa, Cheerscrypt, Pandora, Night Sky, and Rook ransomware families. The researchers say the ransomware actor is expanding operations at a fast pace and confirmed that the group is in the early stages of its operation. At this stage, relatively little is known about its attacks, such as how access is gained and how lateral movement is achieved.