• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

New RA Group ransomware targets U.S. orgs in double-extortion attacks


Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.


Ultimate Donator
Jun 26, 2021
  • May 15, 2023
  • 10:27 AM
  • 0


A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.
The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.
While the extortion portal was launched on April 22nd, 2023, the first batch of victimized organizations was published on April 27th, including sample files, a description of the type of content that was stolen, and links to stolen data.
Victim entry on RA Group's extortion site
Victim entry on RA Group's extortion site
Source: BleepingComputer
In a new report by Cisco Talos, researchers explain that RA Group uses an encryptor based on the leaked source code for the Babuk ransomware, a ransomware operation that shut down in 2021.
Last week, Sentinel Labs reported that at least nine distinct ransomware operations are using the Babuk source code that was leaked on a Russian-speaking hacker forum in September 2021, as it gives threat actors an easy way to expand their broaden their scope to cover Linux and VMware ESXi.
In addition to the ransomware groups cited in the Sentinel Labs report as users of Babuk, Cisco Talos also mentions Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, and ESXiArgs.
Ransomware groups using the leaked Babuk code
Ransomware groups using the leaked Babuk code (Cisco)

RA Group attack details​

A notable characteristic of RA Group is that each attack features a custom ransom note written specifically for the targeted organization, while the executable is also named after the victim.
The ransomware targets all logical drives on the victim's machine and network shares and attempts to encrypt specific folders, excluding those related to the Windows system, boot, Program Files, etc.
This is to avoid rendering the victim's system unusable, making it unlikely to receive a ransom payment.
RA Group's encryptor uses intermittent encryption, which is to alternative between encrypting and not encrypting sections of a file to speed up the encryption of a file. However, this approach can be risky as it allows some data to be partially recovered from files.
When encrypting data, the encryptor will use curve25519 and eSTREAM cipher hc-128 algorithms.
Encrypted files are appended the filename extension ".GAGUP" while all volume shadow copies and Recycle Bin contents are wiped to prevent easy data restoration.
Deleting shadow copies
Deleting shadow copies (Cisco)
The ransom note dropped on the victim's system is named 'How To Restore Your Files.txt' and requires the victim to use qTox messenger to contact the threat actors and negotiate a ransom.
The note also includes a link to a repository containing files stolen from the victim as proof of the data breach.
A sample of RA Group's ransom note
A sample of RA Group's ransom note (Cisco)
The threat actors claim to give victims three days before a sample of stolen data is published on extortion sites, but like other ransomware operations, this is likely open to negotiation.
As this is a relatively new ransomware operation, with only a few victims, it is unclear how they breach systems and spread laterally on a network.