New ‘RA’ ransomware group using leaked source code to launch attacks

A new ransomware group is using leaked code from the now-defunct Babuk gang to attack organizations.

Researchers from the threat intelligence outfit Cisco Talos said they recently discovered the gang, named RA Group, which has been operating since at least April 2023. Since then, the group has attacked at least three companies in the U.S. and South Korea involved in manufacturing, pharmaceuticals and more.

The researchers told Recorded Future News that the group is “now selling the stolen data – an uncommon thing to see among ransomware operators.” The company declined to provide more details about the targeted companies and nature of the attacks.

Analysis of the group’s ransomware shows they are leveraging source code from Babuk, a ransomware gang whose source code leaked online in 2021. Since then, dozens of groups have used it to develop their own brand of ransomware.

The builder for the Babuk Locker ransomware allowed easy access to an advanced ransomware strain to any would-be criminal group looking to get into the ransomware scene with little to no development effort.

The RA Group launched its data leak site on April 22 and added its first batch of victims at the end of the month. Since then, the group has continually updated the leak site with cosmetic changes. Like most leak sites, victim names and URLs are listed alongside an itemized list of the stolen data, which is also being offered for sale.

The group customizes its ransom notes and only gives victims three days to respond to the hackers or their data will be leaked. Encrypted files are appended with the file extension “.GAGUP” and the ransomware deletes all contents of the victim’s trash.

The ransomware does not encrypt all of a victim’s files and folders, leaving some “folders the malware won’t encrypt so the victim can contact the RA Group operators.”

“These files and folders are necessary for the system to work properly and to allow the victims to download the qTox [messaging] application and contact RA group operators using the qTox ID provided on the ransom note,” they explained.

Security software company KnowBe4’s Erich Kron explained that groups have been able to reduce their development time significantly by reusing leaked code written by others.

The leaked source code of groups like Babuk has also allowed less sophisticated actors to incorporate features they would otherwise have been unable to create themselves.

“This trend is going to continue to grow as offerings mature and as AI becomes better at assisting where attacker skills may otherwise fall short,” Kron noted.

“These changes that allow less technical people to carry out attacks are likely to increase the frequency of attempted ransomware attacks.”