The RA Group uses double extortion and has detailed information on its victims. Credit: Skorzewiak/Shutterstock Researchers warn of a new ransomware threat dubbed RA Group that also engages in data theft and extortion and has been hitting organizations since late April. The group’s ransomware program is built from the leaked source code of a different threat called Babuk.“Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands,” researchers from Cisco Talos said in a new report. “This form of double extortion increases the chances that a victim will pay the requested ransom.”The Talos team only analyzed the ransomware sample, which is the final payload, but it hasn’t determined the way in which attackers gain initial access into networks. However, it’s likely through one of the usual vectors used by most ransomware gangs: exploiting vulnerabilities in publicly exposed systems, stolen remote access credentials, or buying access from a different cybercrime gang that might operate a malware distribution platform. Initial access is likely followed by lateral movement and deployment of other malware tools, since the attackers are interested in first exfiltrating data that’s potentially sensitive and valuable to the company. In fact, the final ransom note dropped by the group is tailored for each individual victim, refers to them by name, and lists the exact type of data that were copied and will be leaked publicly if contact is not made within three days. This suggests that attackers have very good insight into their victims. The group’s data leak site was launched on April 22. By the end of the month it had already listed four victims along with their names, links to their websites, and a summary of the available data that is also made available for sale to others. The data itself is hosted on a Tor server and victims need to contact the group using the qTox encrypted messaging app.“We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation,” the Talos researchers said. Customized ransomware based on BabukIn addition to tailoring their ransom notes to each victim, the ransomware executable file also includes the victim’s name, suggesting that attackers are compiling unique variants for each victim. The ransomware binary analyzed by Talos was compiled on April 23, was written in C++, and contains a debug path that’s consistent with paths found in Babuk, a ransomware program whose source code was leaked online in September 2021 by a disgruntled member of the Babuk group. SInce then multiple ransomware threats have been developed based on the leaked Babuk code, including Rook, Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and now RA Group.Babuk used the AES-256-CTR with the ChaCha8 cipher for file encryption, but RA Group takes a different approach. It uses the WinAPI CryptGenRandom function to generate cryptographically random bytes that are then used as a private key for each victim and is then used in a crypto scheme that uses curve25519 and eSTREAM cipher hc-128. Files are only partially encrypted to speed up the process and are renamed to the extension .GAGUP.The ransomware program has a list of folders and files — primary system critical ones — that it will not encrypt to avoid crashing the system, but does check the network for writable file shares and will attempt to encrypt files stored on them. Further operations include emptying the system recycle bin and using the vssadmin.exe tool to delete volume shadow copies that could be used to recover files. “The actor is swiftly expanding its operations,” the Talos researchers said in their report. “To date, the group has compromised three organizations in the US and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.” Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe