New ransomware gang RA Group quickly expanding operations

Researchers warn of a new ransomware threat dubbed RA Group that also engages in data theft and extortion and has been hitting organizations since late April. The group’s ransomware program is built from the leaked source code of a different threat called Babuk.

“Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands,” researchers from Cisco Talos said in a new report. “This form of double extortion increases the chances that a victim will pay the requested ransom.”

The Talos team only analyzed the ransomware sample, which is the final payload, but it hasn’t determined the way in which attackers gain initial access into networks. However, it’s likely through one of the usual vectors used by most ransomware gangs: exploiting vulnerabilities in publicly exposed systems, stolen remote access credentials, or buying access from a different cybercrime gang that might operate a malware distribution platform.

Initial access is likely followed by lateral movement and deployment of other malware tools, since the attackers are interested in first exfiltrating data that’s potentially sensitive and valuable to the company. In fact, the final ransom note dropped by the group is tailored for each individual victim, refers to them by name, and lists the exact type of data that were copied and will be leaked publicly if contact is not made within three days. This suggests that attackers have very good insight into their victims.

The group’s data leak site was launched on April 22. By the end of the month it had already listed four victims along with their names, links to their websites, and a summary of the available data that is also made available for sale to others. The data itself is hosted on a Tor server and victims need to contact the group using the qTox encrypted messaging app.

“We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation,” the Talos researchers said.

Customized ransomware based on Babuk

In addition to tailoring their ransom notes to each victim, the ransomware executable file also includes the victim’s name, suggesting that attackers are compiling unique variants for each victim. The ransomware binary analyzed by Talos was compiled on April 23, was written in C++, and contains a debug path that’s consistent with paths found in Babuk, a ransomware program whose source code was leaked online in September 2021 by a disgruntled member of the Babuk group. SInce then multiple ransomware threats have been developed based on the leaked Babuk code, including Rook, Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and now RA Group.

Babuk used the AES-256-CTR with the ChaCha8 cipher for file encryption, but RA Group takes a different approach. It uses the WinAPI CryptGenRandom function to generate cryptographically random bytes that are then used as a private key for each victim and is then used in a crypto scheme that uses curve25519 and eSTREAM cipher hc-128. Files are only partially encrypted to speed up the process and are renamed to the extension .GAGUP.

The ransomware program has a list of folders and files — primary system critical ones — that it will not encrypt to avoid crashing the system, but does check the network for writable file shares and will attempt to encrypt files stored on them. Further operations include emptying the system recycle bin and using the vssadmin.exe tool to delete volume shadow copies that could be used to recover files.

“The actor is swiftly expanding its operations,” the Talos researchers said in their report. “To date, the group has compromised three organizations in the US and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.”