New ransomware gang RA Group quickly expanding operations
A new ransomware threat called RA Group has been targeting organizations since late April, engaging in data theft and extortion. The group's ransomware program is built from the leaked source code of another threat called Babuk. RA Group operates a data leak site where they threaten to publish exfiltrated data from victims who fail to contact them or meet their ransom demands, increasing the chances of victims paying the ransom. Cisco Talos researchers have analyzed the ransomware sample but have not determined the initial access method used by the attackers. It is likely that the attackers gain access through exploiting vulnerabilities in publicly exposed systems, stolen remote access credentials, or buying access from other cybercrime gangs. The attackers are interested in exfiltrating sensitive and valuable data before deploying the ransomware. The final ransom note is tailored for each victim, referring to them by name and listing the exact type of data copied and threatened to be leaked if contact is not made within three days. The group's data leak site was launched on April 22, and by the end of the month, it had already listed four victims along with their names, links to their websites, and a summary of the available data for sale. The data is hosted on a Tor server, and victims need to contact the group using the qTox encrypted messaging app. The ransomware executable file includes the victim's name, suggesting unique variants for each victim. The binary analyzed by Talos was compiled on April 23, written in C++, and contains a debug path consistent with Babuk. Since Babuk's source code was leaked online in September 2021, multiple ransomware threats have been developed based on it, including Rook, Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and now RA Group. RA Group uses a different encryption approach than Babuk, employing curve25519 and eSTREAM cipher hc-128. Files are partially encrypted to speed up the process and renamed with the extension .GAGUP. The ransomware program avoids encrypting primary system critical folders and files but checks the network for writable file shares and attempts to encrypt files stored on them. It also empties the system recycle bin and deletes volume shadow copies using the vssadmin.exe tool. The group has compromised three organizations in the US and one in South Korea across various business verticals, including manufacturing, wealth management, insurance providers, and pharmaceuticals. Malware: Babuk, RAGroup [View Article](https://www.csoonline.com/article/3696434/new-ransomware-gang-ra-group-quickly-expanding-operations.html)