Threat researchers have discovered another new ransomware actor, this time leveraging Babuk source code in attacks on US and South Korean organizations.
RA Group emerged in April this year, with a dedicated leak site appearing at the end of the month listing exfiltrated data, victim URLs and other information, according to Cisco Talos. The group is also selling exfiltrated data, which is hosted on a Tor site.
Read more on Babuk: Threat Actors Use Babuk Code to Build Hypervisor Ransomware.
Cisco warned that the group is ramping up activity fast, with three US victims and one in South Korea across manufacturing, wealth management, insurance providers and pharmaceuticals sectors.
As is usual for such groups, ransom notes are built into the code and personalized for each victim organization. However, RA Group is unusual in also naming the victim in the executable, the report noted.
Both the debug path and the fact that the ransomware contains the same mutex as Babuk supports Cisco’s assessment that the group is using the Babuk source code, which was leaked back in September 2021.
The executable itself uses curve25519 and eSTREAM cipher hc-128 algorithms, but only partially encrypts files in order to accelerate the process, Cisco said. Once completed, a “.Gagup” extension is applied and all recycle bin and volume shadow copies of data are deleted.
However, RA Group doesn’t encrypt all files and folders, leaving some untouched so that victim organizations can “download the qTox application and contact RA Group operators using the qTox ID provided on the ransom note.”
After analyzing previous ransom notes, Cisco asserted that victims get three days to contact their extorters, after which time RA Group begins to leak their files.
“The victims can confirm the exfiltration of their information by downloading a file using the gofile[.]io link in the ransom note,” it explained.
There is no information thus far on how the group gains initial access or conducts post-intrusion activity.