Tuesday, 16 May 2023 12:07

Ransomware Group RA Group Is Open for Business in the US and South Korea

Written by

Reading time is around minutes.

There is a new player in the ransomware space. Dubber RA group this new organization appears to have had their grand opening last month (April 2023). RA Group published a data leak site on the dark web as part of the now all too familiar double extortion scheme that most ransomware brings to the table. RA Group is also one of the organizations that has leveraged the Babuk source code links to get things going, as reported by Cisco Talos.

RA Group published details of their first victims on April 27th meaning that things are in full swing now. The attack details are interesting as it appears the group names the binary after their victim and includes a customized ransom note as well (you know, for the personal touch). The payload targets all logical drives as well as any connected network shares while excluding folders and files critical to the operation of the device. The latter means that a target will still be able to boot their device leaving only business data encrypted. It is an approach that seems to be aimed at making payment more likely.

There is currently no information on the vectors they are using to get the ransomware due to the small number of known victims of the new group. We are confident that as more people are targeted the TTPs of RA Group will come to light.

To speed up encryption of the data the RA Group uses a method called intermittent encryption meaning that the entire file or volume is not encrypted. This can allow for partial data recovery making it a risky tactic, but then again being a cyber criminal is risky anyway. Other features of the ransomware are deletion of shadow copies and the recycle bin contents all this as it exfiltrates the data it is encrypting. Once the payload has done its job, tit leaves the customize ransom note which includes instructions on how to pay the ransom along with a link to sample files as proof of exfiltration. The timelines are simple, after 3 days of no contact the sample files go live, after 7 days all the stollen data becomes public.

Ransomware is not going anywhere, if anything the leak of the Babuk source code may have breathed new life into it as new groups cut their development time by building on someone else’s work.

Read 519 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.