April 24, 2024

Researchers have discovered a new ransomware called RA Group that has been active for alteast a momth,

The group has already compromised three organizations in the U.S. and one in South Korea. Researchers say that the group is using the leaked Babuk ransomware source code.

The binary has the debug path “C:\Users\attack\Desktop\Ransomware.Multi.Babuk.c\windows\x64\Release\e.pdb” that has the same mutex name as the Babuk ransomware, suggests the malware borrows Babuk’s leaked source code.

The RA Group also uses a double extortion model and runs a date leak site similar to other threat actors.

Advertisements

RA Group ransomware executable uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. This process encrypts only a certain part of the source file’s contents, not the entire file.

Once encrypted the file, the malicious code deletes the contents of the victim machine’s Recycle Bin using the API SHEmptyRecyclebinA and deletes the volume shadow copy. It appends the file extension “.GAGUP” to the name of the encrypted files.

They only target files and folders that are not included in a hardcoded list, this trick allows to avoid encrypting files that can impair the infected system.

Once encrypted the victims files RA Group, the gang drops customized ransom notes (“How To Restore Your Files.txt.”), which include the victim’s name and a unique link to download the exfiltration proofs. If ransom is not paid within 3 days then the data is leaked

Source – Talos

Timeline

  • RA Group launched their data leak site on April 22, 2023.
  • On April 27, the first batch of victims, three in total, followed by another one on April 28.
  • They make cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.
  • Attempting to sell the stolen data through its leak site.

Researchers said that the availability of the leaked source code allows threat actors to create ransomware to target Linux systems, even if they lack expertise.

Advertisements

This research was documented by researchers from Cisco Talos

Indicators of Compromise

  • 3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e
  • hxxp[://]hkpomcx622gnqp2qhenv4ceyrhwvld3zwogr4mnkdeudq2txf55keoad[.]onion
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

CrushFTP Zeroday Vulnerability Exploited in Wild attack

April 21, 2024

TheCyberThrone Security Week In Review – April 20, 2024

April 21, 2024

MITRE Breached Exploiting Ivanti Zeroday

April 20, 2024

GPT-4 can exploit vulnerabilities with ease

April 19, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading