A new kind of ransomware (opens in a new tab) Threat actors have been detected targeting large enterprises, expecting equally large payouts.
Cybersecurity researchers from Talos discovered a threat actor called RA Group, which began operations in April 2023 using Babuk source code, which was apparently previously leaked by one of its former members.
So far, the group has successfully attacked three organizations in the United States and one in South Korea. It appears to have no industry preference, as the victims are manufacturing, wealth management, insurance and pharmaceuticals.
Personalized ransom note
There is nothing special about RA Group. It launches a double extortion attack, stealing sensitive data while encrypting the system, hoping to incentivize victims to pay the ransom. Its website appears to be a work in progress, as the organization is still making cosmetic changes. When it exfiltrates data, it discovers the victim’s name, a list of the stolen data, the total size, and the victim’s website.
The ransom note was personalized for each victim, the researchers added, claiming this is also standard practice among ransomware threat actors. However, it is not standard practice to also name the victim in the executable.
The malware only encrypts part of the files for faster movement. After the encryption is complete, the file will get a .GAGUP extension. The ransomware then uses the API SHEmptyRecyclebinA to delete everything in the Bin and delete the shadow copies by executing the native Windows binary vssadmin.exe, an administrative tool for manipulating shadow copies.
However, ransomware does not encrypt all files. Some are accessible so that victims can more easily contact the group. The unencrypted file is necessary for victims to download the qTox application, which is used to contact attackers.
