Jump to content
  • New RA Group ransomware targets U.S. orgs in double-extortion attacks

    alf9872000

    • 496 views
    • 3 minutes
     Share


    • 496 views
    • 3 minutes

    A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.

     

    The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.

     

    While the extortion portal was launched on April 22nd, 2023, the first batch of victimized organizations was published on April 27th, including sample files, a description of the type of content that was stolen, and links to stolen data.

     

    ra-group-leak-site.jpg

    Victim entry on RA Group's extortion site
    Source: BleepingComputer

     

    In a new report by Cisco Talos, researchers explain that RA Group uses an encryptor based on the leaked source code for the Babuk ransomware, a ransomware operation that shut down in 2021.

     

    Last week, Sentinel Labs reported that at least nine distinct ransomware operations are using the Babuk source code that was leaked on a Russian-speaking hacker forum in September 2021, as it gives threat actors an easy way to expand their broaden their scope to cover Linux and VMware ESXi.

     

    In addition to the ransomware groups cited in the Sentinel Labs report as users of Babuk, Cisco Talos also mentions Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, and ESXiArgs.

     

    babuk-gangs.jpg

    Ransomware groups using the leaked Babuk code (Cisco)

    RA Group attack details

    A notable characteristic of RA Group is that each attack features a custom ransom note written specifically for the targeted organization, while the executable is also named after the victim.

     

    The ransomware targets all logical drives on the victim's machine and network shares and attempts to encrypt specific folders, excluding those related to the Windows system, boot, Program Files, etc.

     

    This is to avoid rendering the victim's system unusable, making it unlikely to receive a ransom payment.

     

    RA Group's encryptor uses intermittent encryption, which is to alternative between encrypting and not encrypting sections of a file to speed up the encryption of a file. However, this approach can be risky as it allows some data to be partially recovered from files.

     

    When encrypting data, the encryptor will use curve25519 and eSTREAM cipher hc-128 algorithms.

     

    Encrypted files are appended the filename extension ".GAGUP" while all volume shadow copies and Recycle Bin contents are wiped to prevent easy data restoration.

     

    shad-cop.jpg

    Deleting shadow copies (Cisco)

     

    The ransom note dropped on the victim's system is named 'How To Restore Your Files.txt' and requires the victim to use qTox messenger to contact the threat actors and negotiate a ransom.

     

    The note also includes a link to a repository containing files stolen from the victim as proof of the data breach.

     

    ransom-note.jpg

    A sample of RA Group's ransom note (Cisco)

     

    The threat actors claim to give victims three days before a sample of stolen data is published on extortion sites, but like other ransomware operations, this is likely open to negotiation.

     

    As this is a relatively new ransomware operation, with only a few victims, it is unclear how they breach systems and spread laterally on a network.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...