Description
Cisco Talos recently discovered a new ransomware group called RA Group that has been actively targeting companies in the United States and South Korea with their new ransomware created from leaked code.
Details
The group behind this attack is known as RA Group, who begin their ransomware operation in April 2023. The group was seen targeting companies in the United States and South Korea, more specifically pharmaceutical, insurance, wealth, and manufacturing firms. Talos Intelligence assessed with high confidence that the group has most likely leveraged the leaked Babuk ransomware code and customized it to their own needs.
The Babuk ransomware was an inexpert written malware that was discovered in 2021 targeting multiple geographies such as Germany, Hong Kong, Sweden, and the United States. However due to internal problems within the group, one member allegedly leaked the entire Babuk source code online. This led to various ransomware families adopting the code and customizing it to their benefit, making improvements and changes to the encryption and attack chain. The Talos team mentioned that from 2021 to 2023 the ransomware families Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach and RTM Locker would have adopted and use the Babuk source code in their operations.
RA Group carries out double extortion attacks. This is where data is encrypted on the victims device and exfiltrated by the threat actor, where they threaten to release the data online if the ransom is not paid. RA Group operates a data leak website that is used to publish victims data who fail to contact them within a specified time or do not meet their ransom demands. The data leak website was launched on April 22, 2023, and by April 27, Talos observed the first three batches of victims data posted online, followed by another data leak on April 28. The website discloses the name of the victim”s organization, a list of their exfiltrated data and the total size, and the victims official URL. The website also provides an option to buy the victims exfiltrated data.
RA Groups ransomware targets all logical drives on the victims machine along with any network shares and resources. However, the ransomware does not encrypt all files and folders and excludes this list of folders so that the victims machine is not rendered inoperable. It uses the curve25519 and eSTREAM cipher hc-128 algorithms for its encryption, and the intermittent encryption. This is a process that is used to speed up the file encryption process by encrypting only certain sections of a file instead of the whole file. The ransomware uses WinAPI CryptGenRandom to generate cryptographically random bytes used as a private key for each victim. After encrypting the files, the ransomware appends the file extension .GAGUP to the encrypted files on the victims machine and drops a custom ransom note called How To Restore Your Files.txt.. The ransom note is written specifically for each victim, listing their name, the files that would have been encrypted and retrieved and custom links to show exfiltration proof. The ransomware also deletes the contents of the victim machines Recycle Bin with the API SHEmptyRecyclebinA along with the volume shadow copy by executing the local Windows binary vssadmin.exe.
Because this ransomware is fairly new with only a few victims, it is unclear how it targets and breaches its victims network and devices.
Indicators of Compromise
A list of IOCs for this ransomware can be found on the following link: https://github.com/Cisco-Talos/IOCs/blob/main/2023/05/ra-group-ransomware.txt
Remediation
It is unclear how this ransomware is delivered and therefore we cannot have specific remediation steps for the attack. However, we recommend the following general tips for safeguarding against ransomwares:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New ransomware group targets companies internationally.pdf
References
