New Gang RA Ransomware Group Hits US and South Korean Organizations


May 15, 2023Ravie LakshmananEndpoint Security / Ransomware


A new ransomware group known as RA group has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant.

The cyber criminal gang, which is said to have been in operation since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos.

“To date, the group has compromised three organizations in the US and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals,” security researcher Chetan Raghuprasad said in a statement. report shared with The Hacker News.

The RA Group is no different from other ransomware gangs in that it launches multiple blackmail attacks and runs date leak sites to put additional pressure on victims to pay the ransom.

Cyber ​​security

Windows based binary employs intermittent encryption to speed up the process and avoid detection, not to mention deleting volume shadow copies and the contents of the machine’s Recycle Bin.

“RA Group used a special ransom note, including the victim’s name and a unique link to download exfiltration evidence,” explained Raghuprasad. “If the victim fails to contact the perpetrator within three days, the group will leak the victim’s file.”

It also takes steps to circumvent encrypting system files and folders via a hard coded list thereby enabling victims to download the qTox chat application and reach out to the operator using the qTox ID provided on the ransom note.

What sets RA Group apart from other ransomware operations is that threat actors are also seen selling exfiltrated victims’ data on their leak portals by hosting that information on secure TOR sites.


The development comes less than a week after SentinelOne disclosed that threat actors are of varying sophistication and expertise increasingly adopting Babuk ransomware code to develop a dozen variants capable of targeting Linux systems.

“There is a clear trend that actors are increasingly using Babuk authors to develop ESXi and Linux ransomware,” the cybersecurity firm said. “This is especially obvious when used by actors with fewer resources, as these actors are likely to modify Babuk’s source code significantly.”


Learn How to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Other ransomware actors who have adopted Babuk’s source code over the past year include AstraLocker and Nokoyawa. Cheerscrypt, another ransomware strain based on Babuk, has been linked to a Chinese espionage actor named Emperor Dragonfly who is known for operating short-lived ransomware schemes such as Rook, Night Sky, and Pandora.

This finding also follows the discovery of two other new ransomware strains with code names Rancoz And Black suitthe latter is designed to target Windows servers and VMware ESXi.

“The constant evolution and release of new ransomware variants highlights the advanced skills and agility of (threat actors), demonstrating that they respond to implemented cybersecurity measures and checks and adapt their ransomware accordingly,” Cyble said.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button