Connect with us

Hi, what are you looking for?



New Babuk-Based Ransomware Targeting Organizations in US, Korea

An emerging ransomware gang called RA Group is targeting organizations in the US and South Korea.

An emerging threat actor has been targeting organizations in the US and South Korea with a new ransomware family based on leaked Babuk source code, Cisco’s Talos research unit reports.

Dubbed RA Group and active since April 2023, the gang has compromised at least three organizations in the US and one in South Korea, spanning across the insurance, manufacturing, pharmaceuticals, and wealth management sectors.

Like other ransomware groups out there, the threat actor is exfiltrating victim data and threatens to leak it online unless a ransom is paid.

According to Talos, RA Group launched their leaks site on April 22. Less than a week later, the group listed four victim organizations on the site, along with information on exfiltrated data, and URLs to download the data.

In the ransom note dropped on the compromised machines, the threat actor informs the victim that the data would be leaked online unless the ransom is paid in three days. Each note is custom to the victim and contains a link to validate that data had been exfiltrated.

The group’s ransomware, which shows overlaps with the leaked Babuk source code, appends the “.GAGUP” extension to the encrypted files. The ransomware deletes all data in Recycle Bin and the volume shadow copies.

Before starting the encryption process, the malware enumerates all logical drives, as well as network shares and available network resources, to encrypt files on remotely mapped drives.

Advertisement. Scroll to continue reading.

The ransomware has a hardcoded list of files and folders it avoids encrypting. These are resources necessary for the system to work, to ensure that the victim can contact the ransomware operators.

RA Group’s ransomware is the latest on the list of Babuk-based threats observed since the source code was leaked in September 2021.

Last week, SentinelOne revealed that, in addition to typical ransomware, the source code has been used to breed at least 10 ransomware families targeting VMware ESXi servers specifically.

One ESXi-targeting ransomware that does not show links to Babuk, SentinelOne says, is the ESXiArgs locker that caused havoc earlier this year. Talos, however, believes that the two are related.

Related: CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities

Related: Capita Says Ransomware Attack Will Cost It Up to $25 Million

Related: Ransomware Group Claims Attack on Constellation Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The personal and health information of more than 3.3 million individuals was stolen in a ransomware attack at Regal Medical Group.