An emerging threat actor has been targeting organizations in the US and South Korea with a new ransomware family based on leaked Babuk source code, Cisco’s Talos research unit reports.
Dubbed RA Group and active since April 2023, the gang has compromised at least three organizations in the US and one in South Korea, spanning across the insurance, manufacturing, pharmaceuticals, and wealth management sectors.
Like other ransomware groups out there, the threat actor is exfiltrating victim data and threatens to leak it online unless a ransom is paid.
According to Talos, RA Group launched their leaks site on April 22. Less than a week later, the group listed four victim organizations on the site, along with information on exfiltrated data, and URLs to download the data.
In the ransom note dropped on the compromised machines, the threat actor informs the victim that the data would be leaked online unless the ransom is paid in three days. Each note is custom to the victim and contains a link to validate that data had been exfiltrated.
The group’s ransomware, which shows overlaps with the leaked Babuk source code, appends the “.GAGUP” extension to the encrypted files. The ransomware deletes all data in Recycle Bin and the volume shadow copies.
Before starting the encryption process, the malware enumerates all logical drives, as well as network shares and available network resources, to encrypt files on remotely mapped drives.
The ransomware has a hardcoded list of files and folders it avoids encrypting. These are resources necessary for the system to work, to ensure that the victim can contact the ransomware operators.
RA Group’s ransomware is the latest on the list of Babuk-based threats observed since the source code was leaked in September 2021.
Last week, SentinelOne revealed that, in addition to typical ransomware, the source code has been used to breed at least 10 ransomware families targeting VMware ESXi servers specifically.
One ESXi-targeting ransomware that does not show links to Babuk, SentinelOne says, is the ESXiArgs locker that caused havoc earlier this year. Talos, however, believes that the two are related.
Related: CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities
Related: Capita Says Ransomware Attack Will Cost It Up to $25 Million
Related: Ransomware Group Claims Attack on Constellation Software