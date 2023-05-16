



May 15, 2023Ravie LakshmananEndpoint Security / Ransomware

A new ransomware group known as RA Group has become the latest threat actor to exploit leaked Babuk ransomware source code to create its own locker variant.

The cybercriminal gang, which is believed to have been operating since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos.

“To date, the group has compromised three organizations in the United States and one in South Korea across multiple industries, including manufacturing, wealth management, insurers, and pharmaceuticals,” the researcher said. safety Chetan Raghuprasad in a report shared with The Hacker News.

RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a data leak site to put additional pressure on victims to pay ransoms.

The Windows-based binary uses intermittent encryption to speed up the process and evade detection, not to mention deleting Volume Shadow Copies and Recycle Bin contents from the machine.

“RA Group uses personalized ransom notes, including the victim’s name and a unique link to download the exfiltration evidence,” Raghuprasad explained. “If the victim fails to contact the cast within three days, the group releases the victim’s records.”

It also takes measures to avoid encrypting system files and folders through hardcoded list to allow victims to download qTox chat app and contact operators using qTox ID provided on the ransom note.

What sets RA Group apart from other ransomware operations is that the threat actor has also been observed selling the victim’s exfiltrated data on its leak portal by hosting the information on a secure TOR site.

The development comes less than a week after SentinelOne revealed that threat actors of varying sophistication and expertise are increasingly adopting Babuk ransomware code to develop a dozen variants capable of targeting Linux systems.

“There is a noticeable trend that players are increasingly using the Babuk builder to develop ESXi and Linux ransomware,” the cybersecurity firm said. “This is especially evident when used by actors with fewer resources, as those actors are less likely to significantly modify Babuk’s source code.”

Other ransomware actors that have adopted Babuk’s source code over the past year include AstraLocker and Nokoyawa. Cheerscrypt, another Babuk-based ransomware strain, has been linked to a Chinese spy actor called Emperor Dragonfly, who is known to exploit short-lived ransomware programs such as Rook, Night Sky, and Pandora.

The findings also follow the discovery of two other new ransomware strains named Rancoz and BlackSuit, the latter of which is designed to target both Windows and VMware ESXi servers.

“The constant evolution and release of new ransomware variants highlights the advanced skills and agility of [threat actors]indicating that they react to implemented cybersecurity measures and checks and customize their ransomware accordingly,” Cyble said.

