The RA Group uses double extortion and has detailed information on its victims. Credit: Skorzewiak/Shutterstock Researchers warn of a new ransomware threat dubbed RA Group that also engages in data theft and extortion and has been hitting organizations since late April. The group’s ransomware program is built from the leaked source code of a different threat called Babuk.“Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands,” researchers from Cisco Talos said in a new report. “This form of double extortion increases the chances that a victim will pay the requested ransom.”The Talos team only analyzed the ransomware sample, which is the final payload, but it hasn’t determined the way in which attackers gain initial access into networks. However, it’s likely through one of the usual vectors used by most ransomware gangs: exploiting vulnerabilities in publicly exposed systems, stolen remote access credentials, or buying access from a different cybercrime gang that might operate a malware distribution platform. Initial access is likely followed by lateral movement and deployment of other malware tools, since the attackers are interested in first exfiltrating data that’s potentially sensitive and valuable to the company. In fact, the final ransom note dropped by the group is tailored for each individual victim, refers to them by name, and lists the exact type of data that were copied and will be leaked publicly if contact is not made within three days. This suggests that attackers have very good insight into their victims. The group’s data leak site was launched on April 22. By the end of the month it had already listed four victims along with their names, links to their websites, and a summary of the available data that is also made available for sale to others. The data itself is hosted on a Tor server and victims need to contact the group using the qTox encrypted messaging app.“We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation,” the Talos researchers said. Customized ransomware based on BabukIn addition to tailoring their ransom notes to each victim, the ransomware executable file also includes the victim’s name, suggesting that attackers are compiling unique variants for each victim. The ransomware binary analyzed by Talos was compiled on April 23, was written in C++, and contains a debug path that’s consistent with paths found in Babuk, a ransomware program whose source code was leaked online in September 2021 by a disgruntled member of the Babuk group. SInce then multiple ransomware threats have been developed based on the leaked Babuk code, including Rook, Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and now RA Group.Babuk used the AES-256-CTR with the ChaCha8 cipher for file encryption, but RA Group takes a different approach. It uses the WinAPI CryptGenRandom function to generate cryptographically random bytes that are then used as a private key for each victim and is then used in a crypto scheme that uses curve25519 and eSTREAM cipher hc-128. Files are only partially encrypted to speed up the process and are renamed to the extension .GAGUP.The ransomware program has a list of folders and files — primary system critical ones — that it will not encrypt to avoid crashing the system, but does check the network for writable file shares and will attempt to encrypt files stored on them. Further operations include emptying the system recycle bin and using the vssadmin.exe tool to delete volume shadow copies that could be used to recover files. “The actor is swiftly expanding its operations,” the Talos researchers said in their report. “To date, the group has compromised three organizations in the US and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.” Related content news Kroll cyber threat landscape report: AI assists attackers AI is simplifying all sorts of tasks — and not always for the better: cybercriminals, too, are adopting it. By Lynn Greiner May 24, 2024 4 mins Threat and Vulnerability Management Cybercrime Vulnerabilities news analysis Windows Recall — a ‘privacy nightmare’? The Windows AI feature announced by Microsoft this week quickly drew criticism for recording regular screenshots of a user’s screen; one security expert compared it to keylogging software. By Matthew Finnegan May 24, 2024 1 min Privacy feature What is spear phishing? Examples, tactics, and techniques Spear phishing is a targeted email attack purporting to be from a trusted sender. Learn how to recognize—and defeat—this type of phishing attack. By Josh Fruhlinger May 24, 2024 14 mins Phishing Cyberattacks Fraud news analysis Emerging ransomware groups on the rise: Who they are, how they operate New and developing ransomware gangs move to fill the void left by the shutdown and law enforcement disruption of big players, with differing tactics and targets. By Lucian Constantin May 24, 2024 6 mins Ransomware Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe