New identified ransomware group targets companies internationally (May 16, 2023)

Ref# AL2023_38 | Date: May 24th 2023


Cisco Talos recently discovered a new ransomware group called RA Group that has been actively targeting companies in the United States and South Korea with their new ransomware created from leaked code.


The group behind this attack is known as RA Group, who begin their ransomware operation in April 2023. The group was seen targeting companies in the United States and South Korea, more specifically pharmaceutical, insurance, wealth, and manufacturing firms. Talos Intelligence assessed with high confidence that the group has most likely leveraged the leaked Babuk ransomware code and customized it to their own needs.

The Babuk ransomware was an inexpert written malware that was discovered in 2021 targeting multiple geographies such as Germany, Hong Kong, Sweden, and the United States. However due to internal problems within the group, one member allegedly leaked the entire Babuk source code online. This led to various ransomware families adopting the code and customizing it to their benefit, making improvements and changes to the encryption and attack chain. The Talos team mentioned that from 2021 to 2023 the ransomware families Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach and RTM Locker would have adopted and use the Babuk source code in their operations.

RA Group carries out double extortion attacks. This is where data is encrypted on the victims device and exfiltrated by the threat actor, where they threaten to release the data online if the ransom is not paid. RA Group operates a data leak website that is used to publish victims data who fail to contact them within a specified time or do not meet their ransom demands. The data leak website was launched on April 22, 2023, and by April 27, Talos observed the first three batches of victims data posted online, followed by another data leak on April 28. The website discloses the name of the victim”s organization, a list of their exfiltrated data and the total size, and the victims official URL. The website also provides an option to buy the victims exfiltrated data.

RA Groups ransomware targets all logical drives on the victims machine along with any network shares and resources. However, the ransomware does not encrypt all files and folders and excludes this list of folders so that the victims machine is not rendered inoperable. It uses the curve25519 and eSTREAM cipher hc-128 algorithms for its encryption, and the intermittent encryption. This is a process that is used to speed up the file encryption process by encrypting only certain sections of a file instead of the whole file. The ransomware uses WinAPI CryptGenRandom to generate cryptographically random bytes used as a private key for each victim. After encrypting the files, the ransomware appends the file extension .GAGUP to the encrypted files on the victims machine and drops a custom ransom note called How To Restore Your Files.txt.. The ransom note is written specifically for each victim, listing their name, the files that would have been encrypted and retrieved and custom links to show exfiltration proof. The ransomware also deletes the contents of the victim machines Recycle Bin with the API SHEmptyRecyclebinA along with the volume shadow copy by executing the local Windows binary vssadmin.exe.

Because this ransomware is fairly new with only a few victims, it is unclear how it targets and breaches its victims network and devices.

Indicators of Compromise 

A list of IOCs for this ransomware can be found on the following link:


It is unclear how this ransomware is delivered and therefore we cannot have specific remediation steps for the attack. However, we recommend the following general tips for safeguarding against ransomwares:

  1. Be wary of emails with suspicious attachments.
  1. Because most ransomware attacks are delivered through phishing and scams, it is necessary that users know how to spot phishing and scam emails.
  1. Be wary of files downloaded from the internet. Any file should be downloaded by verified sources and scanned.
  1. It is recommended to avoid downloading torrents and pirated software.
  1. Be on the lookout for websites that may be compromised and attempt a drive-by download.
  1. Maintain regular backups of critical systems and data in the case of a ransomware attack.
  1. Restrict administrative and system access to users who do not require those privileges.
  1. Maintain and update all security software including anti-virus, anti-malware, firewalls, and endpoint protections

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: New ransomware group targets companies internationally.pdf