RA Group Ransomware Dissection
Researchers have discovered a new ransomware called RA Group that has been active for alteast a momth,
The group has already compromised three organizations in the U.S. and one in South Korea. Researchers say that the group is using the leaked Babuk ransomware source code.
The binary has the debug path “C:\Users\attack\Desktop\Ransomware.Multi.Babuk.c\windows\x64\Release\e.pdb” that has the same mutex name as the Babuk ransomware, suggests the malware borrows Babuk’s leaked source code.
The RA Group also uses a double extortion model and runs a date leak site similar to other threat actors.
RA Group ransomware executable uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. This process encrypts only a certain part of the source file’s contents, not the entire file.
Once encrypted the file, the malicious code deletes the contents of the victim machine’s Recycle Bin using the API SHEmptyRecyclebinA and deletes the volume shadow copy. It appends the file extension “.GAGUP” to the name of the encrypted files.
They only target files and folders that are not included in a hardcoded list, this trick allows to avoid encrypting files that can impair the infected system.
Once encrypted the victims files RA Group, the gang drops customized ransom notes (“How To Restore Your Files.txt.”), which include the victim’s name and a unique link to download the exfiltration proofs. If ransom is not paid within 3 days then the data is leaked
- RA Group launched their data leak site on April 22, 2023.
- On April 27, the first batch of victims, three in total, followed by another one on April 28.
- They make cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.
- Attempting to sell the stolen data through its leak site.
Researchers said that the availability of the leaked source code allows threat actors to create ransomware to target Linux systems, even if they lack expertise.
This research was documented by researchers from Cisco Talos
Indicators of Compromise