Cybersecurity Snapshots #42 - New Ransomware Gang Discovered: The RA Group
Cybersecurity Snapshots #42 -
New Ransomware Gang Discovered: The RA Group
According to security researchers at GuidePoint Security, LockBit was once again the most prolific ransomware group, accounting for 31% of victims on leak sites in April, followed by Alphv (14%). Overall, however, the ransomware industry is increasingly characterized by a large number of smaller groups. The researchers observed a diverse slate of active threat groups in April 2023, with 27 unique groups. One of the smaller ransomware gangs recently discovered is called "RA Group." Security researchers at Cisco Talos discovered the ransomware gang, which emerged online on April 22.
The security researchers at Cisco Talos stated that the RA GROUP has already claimed to have stolen nearly 2.5 terabytes of data across just four victims, three in the U.S. and one in South Korea. Three of the victims were posted on April 27, and the next on April 28. The targets include a smaller company in the insurance industry, two larger companies in financial services, and an electronics supplier servicing the computer, communication, aerospace, marine, and military industries.
The security researchers found that, as is usual for such groups, ransom notes are built into the code and personalized for each victim organization. However, RA Group is unusual in also naming the victim in the executable. The researchers noted that both the debug path and the fact that the ransomware contains the same mutex as Babuk supports Cisco Talos’s assessment that the group is using the Babuk source code, which was leaked back in September 2021. The researchers stated that the executable itself uses curve25519 and eSTREAM cipher hc-128 algorithms but only partially encrypts files in order to accelerate the process. Once completed, a ".Gagup" extension is applied, and all recycle bin and volume shadow copies of data are deleted. Cisco Talos noted that the RA Group doesn't encrypt all files and folders, leaving some untouched so that victim organizations can "download the qTox application and contact RA Group operators using the qTox ID provided on the ransom note."
After analyzing previous ransom notes, Cisco Talos asserted that victims get three days to contact their extorters, after which time RA Group begins to leak their files. The researchers noted that the victims can confirm the exfiltration of their information by downloading a file using the gofile[.]io link in the ransom note. Cisco stated that there is no information thus far on how the group gains initial access or conducts post-intrusion activity.
The researchers at Cisco Talos noted that the RA GROUP website has undergone cosmetic changes since it was first published, "confirming they are in the early stages of their operation." The researchers warned that the group is ramping up activity fast and that this ransomware group should not be underestimated.