A new ransomware group called RA Group has emerged recently, warning companies of their new method that engages in data theft and extortion. The group operates a data leak site and threatens to publish stolen data publicly if a victim fails to contact them within a specified time period or does not meet their specific ransom demands. The group’s ransomware program was built from the leaked source code of Babuk, another threat that emerged in late September 2021.
Researchers from Cisco Talos, who analyzed the ransomware sample, have not yet determined how attackers are gaining initial access to these networks. However, they suggest that it may be through vulnerabilities in publicly exposed systems, stolen remote access credentials, or by buying access from a different cybercrime gang that distributes malware. Once initial access is obtained, the attackers engage in lateral movement and deploy other malware tools in an attempt to exfiltrate potentially valuable and sensitive data from these companies.
Talos found that the final ransom note dropped by the RA Group is tailored for each individual victim, refers to them by name, lists specific data that was copied, and warns of publicly leaking it within three days if a ransom payment is not made. The group’s data leak site, hosted on a Tor server, was launched on April 22 and had already listed four victims by the end of the month. It included their names, links to their websites, and a summary of the available data that was also made available for sale to others.
The ransomware binary analyzed by Talos was compiled on April 23 and written in C++, with a debug path that’s consistent with paths found in Babuk. Babuk used AES-256-CTR with the ChaCha8 cipher for file encryption, but RA Group uses a different approach. It uses the WinAPI CryptGenRandom function to generate cryptographically random bytes that are used as a private key for each victim and is then used in a crypto scheme that uses curve25519 and eSTREAM cipher hc-128. Files are only partially encrypted to speed up the process and are renamed to the extension .GAGUP.
The ransomware program has a list of folders and files that it will not encrypt to avoid system crashes. However, it will check the network for writable file shares and attempt to encrypt files stored on them. It will also empty the system recycle bin and use the vssadmin.exe tool to delete volume shadow copies that could be used to recover files.
According to Talos, the RA Group has already compromised three US-based organizations and one from South Korea, covering business verticals such as manufacturing, wealth management, insurance providers, and pharmaceuticals. The group’s data leak site has already begun to leak stolen data and threatens to do so at a remarkably fast rate.
The escalating threat of ransomware is a major concern for organizations worldwide. With ransomware groups adopting such tactics as gathering and selling stolen data, companies must take strong action to ensure their defenses are up to date and continually monitored. The RA Group’s ability to tailor its attack to each victim shows the depth of effort these groups put into their attacks. Therefore, organizations must ensure they take proactive measures to guard against these threats. It is vital that organizations practice good cybersecurity hygiene by keeping software systems up to date, using strong passwords, and conducting security awareness training for their employees.
In summary, the RA Group is the latest ransomware group to emerge, using Babuk’s leaked source code to compromise organizations worldwide. Their method involves not only encrypting but also stealing data and threatening to publish it if the ransom demands are not met. It is more imperative than ever that organizations acknowledge the growing threat of ransomware and take the necessary steps to defend themselves against such attacks.