RA Group, a previously unknown ransomware group, has been targeting companies in the U.S. and South Korea using leaked Babuk source code. Cisco Talos researchers discovered the group’s activities, which began on April 22, 2023, and have already compromised multiple organizations.
The researchers have strong confidence that RA Group is utilizing the leaked Babuk ransomware source code, evidenced by the similarities in the debug path and mutex name. The compromised organizations belong to various sectors, including manufacturing, wealth management, insurance providers, and pharmaceuticals.
Like other ransomware operations, RA Group employs a double extortion model and operates a data leak site. The group launches its data leak site to sell stolen data and issues customized ransom notes to victims, including their name and a unique link for downloading proof of exfiltration.
Failure to contact the group within three days results in the public release of the victim’s files. The ransomware uses intermittent encryption and employs cryptographic algorithms to encrypt only specific parts of the source file, appending the file extension “.GAGUP” to the encrypted files.
The RA Group’s activities signify an expansion in operations, as observed by the launch of their data leak site and the disclosure of victims’ details. It should be noted that RA Group is not the only threat actor utilizing the leaked Babuk source code.
SentinelLabs researchers have identified ten ransomware families based on Babuk’s source code, targeting VMware ESXi systems. This indicates an increasing number of threat actors using Babuk’s leaked source code, allowing them to create ransomware targeting Linux systems even without significant expertise.
