A new ransomware group called “RA Group” has been spotted, which, despite being a newcomer on the ransomware scene has already listed four victims on its data leak site, including three organizations in the US and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.
RA Group is the latest ransomware outfit to use the Babuk ransomware source code leaked in September 2021 on a Russian-language cybercrime forum. According to a recent report from cybersecurity firm SentinelLabs, at least 10 distinct ransomware families are deploying VMware ESXi hypervisor lockers based on the leaked Babuk code.
Active since April 2023, RA Group has been rapidly expanding its operations, threat hunters at Cisco Talos warn. Like other ransomware gangs, the threat actor launches double extortion attacks and operates a data leak site in which they threaten to publish the data stolen from victims who fail to contact them within a specified time or do not meet their ransom demands.
“RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28. We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation….The RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site,” the researchers note.
The threat actor deploys their ransomware with a built-in ransom note tailored to each victim, however, the group names the victim in the executable as well, which is uncommon in ransomware operations.
“RA Group uses customized ransom notes, including the victim's name and a unique link to download the exfiltration proofs,” the Talos team explains. “If the victim fails to contact the actors within three days, the group leaks the victim's files.”
The ransomware does not encrypt all files and folders, leaving some folders unencrypted so the victim can contact the RA Group operators.
“These files and folders are necessary for the system to work properly and to allow the victims to download the qTox [messaging] application and contact RA group operators using the qTox ID provided on the ransom note,” the researchers explain.
A list of Indicators of Compromise (IoCs) related to this threat is available here.