RA Group, a new group of hackers, has launched a spate of attacks targeting pharmaceutical, insurance, financial, and production companies in the United States and South Korea. Their strategy involves extortion, and the group started operating in April 2023. Hackers launched a site on the darknet where they publish stolen data of their targets. They use a tactic called “double extortion,” which is common among other extortionist groups.
According to data from Cisco Talos, the RA Group uses an encryption based on leaks of bubuk extortion. In each attack, the victim receives an individual recording note tailor-made for their organization. The note file also bears the name of the victimized company. The redemptions note contains communication channels with the hackers, and a link to a repository with stolen files as proof of a hack.
The RA Group targets all the logical disks of victims and network resources and then attempts to encrypt certain folders of the system. The code uses intermittent encryption, which partially encrypts the contents of the files, allowing partial restoration of encrypted data. The group uses the algorithms “Curve25519” and “Estream Cipher HC-128” when encrypting data, and highlighted files receive an extension “.Gagup.” To prevent data recovery, all shadow copies and contents of the basket are deleted.
Hackers threaten that victims have three days before they publish a sample of stolen data on the network. The group is relatively new with a small number of victims, and it is still unclear how the hackers penetrate systems and spread over the network. Ra Group is listed among groups that use the Babuk extortion’s source code to create their own ransomware.
Since September 2021, several hacker groups have used the Babuk extortion starting code to create nine harmful programs that can attack VMware ESXI systems. Sentinelone IB companies warn that new options have emerged in the second half of 2022 and the first half of 2023, indicating an increase in the number of hackers using the Babuk source code. The leaked source code allows attackers to launch attacks on Linux systems, even without sufficient technical knowledge to build their own program.