RA Group, a newly discovered ransomware gang, is causing concern as it sets its sights on an increasing number of high-profile targets. The group, which is based on the leaked Babuk source code, is developing a reputation for its highly customised approach to cyberattacks. According to an analysis from cybersecurity company Cisco Talos, RA Group began operations on April 22nd and has since targeted several organisations across the US and South Korea in industries such as manufacturing, wealth management, insurance, and pharmaceuticals.
As we have previously reported, the Babuk ransomware code was leaked online in September 2021, and since then several other threat actors have been using it for their ransomware attacks. However, what distinguishes RA Group from the rest of the pack is its unique approach to the ransomware business. In particular, the group is using a highly customised version of the Babuk code that is built to exploit several known vulnerabilities, including those found in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and others.
By leveraging code that has already been written and leaked, the group is significantly reducing its development time and possibly even incorporating features that it would have been unable to create without access to the Babuk source code. As Erich Kron, a security awareness advocate at KnowBe4, noted, “It’s become very clear that you do not have to be a technical marvel to play in the cybercrime and extortion game. Simply using other people’s code, through a subscription or through leaks such as this, with minor modifications can get just about anyone equipped to carry out attacks.”
RA Group is using a typical double-extortion model in which it threatens to leak exfiltrated data if the victim does not pay the ransom. However, the group is taking things a step further by giving victims just three days to pay up. Additionally, RA Group is selling the victim’s exfiltrated data on its leak site by hosting the victims’ leaked data on a secured Tor site, a new twist on the already established ransomware playbook.
Organisations should take note of RA Group’s unique approach to ransomware and take the necessary steps to defend themselves against this growing threat. They should ensure their environments are patched and up to date, continually monitor their networks for any signs of malicious activity, ensure their security tools are updated with the latest indicators of compromise, and have effective backup and recovery procedures in place in the event of a successful attack.
Given the growing number of ransomware attacks and the success criminals are having in exploiting known vulnerabilities, it is essential that organisations take a more proactive approach to cybersecurity. The cost of a breach, in terms of both financial and reputational damage, can be catastrophic, so it is vital that businesses take the necessary steps to protect themselves before it is too late. By working with experienced cybersecurity professionals, companies can develop a robust and effective defence strategy that will reduce their risk of falling victim to this growing threat.
Albanian 
English 
Serbian 
Croatian 