The Uptick in RA Group Ransomware’s Activity

In April 2023, Researchers uncovered a new ransomware actor named RA Group, demonstrating a connection to the Babuk ransomware through the utilization of leaked source code. Following the full disclosure of Babuk’s ransomware source code by an alleged group member in September 2021, various ransomware families have emerged, incorporating this leaked code into their attacks.

RA Group adopts the strategy of double extortion, a method where they threaten to publish exfiltrated data from victims who fail to engage within a specified timeframe or meet ransom demands. This dual-threat approach enhances the likelihood of victims succumbing to the ransom demands.

The actor is rapidly expanding its operations. RA Group initiated its data leak site on April 22, 2023, and by April 27, the first batch of victims, totaling three, was observed, followed by another on April 28. Cosmetic alterations to the leak site after revealing victim details suggest the group is in the early stages of its operation.

They are motivated primarily by personal gain and we are witnessing an uptick in activity in the last 2 months with 9 recorded attacks.

Victimology

RA Group primarily targets organizations in the Eastern Asia region, extending their attacks to Europe and the United States. Their victims span various sectors, including manufacturing, business services, retail, and more.

Recently in Q1 2024 they targeted several European businesses in a range of sectors ranging from Pascoe International (Transportation, UK) to Ranzijn (Finance, Netherlands) to Wurzbacher and the Shorterm Group (both Business Services in Germany and the UK respectively).

In April we saw an uptick in activity with 5 attacks so far hitting both Europe, North and South America.

In the last few months there have been an uptick of activity in particular against 3 sectors, transportation with 3 attacks, manufacturing with 2 attacks and business services with 2 attacks.

Malware, Toolset & TTPs

On their leak site, RA Group discloses the victim organization’s name, a list and total size of exfiltrated data, and the victim’s official URL. Additionally, the group sells the exfiltrated data on their secured Tor site. Customized ransom notes, containing the victim’s name and a unique link for downloading exfiltration proofs, are employed. The ransomware executable activates the ransom note file called “How To Restore Your Files.txt.”

If the victim fails to contact the actors within three days, RA Group leaks the victim’s files, with victims confirming the data exfiltration by downloading a file using the provided link in the ransom note.

RA Group’s ransomware, written in C++, compiled on April 23, 2023, and utilizing the debug path “C:\Users\attack\Desktop\Ransomware.Multi.Babuk.c\windows\x64\Release\e.pdb,” shares a mutex name with the Babuk ransomware, indicating the use of Babuk’s leaked source code.

The ransomware employs curve25519 and eSTREAM cipher hc-128 algorithm for encryption, encrypting only a specific part of the source file’s contents. WinAPI CryptGenRandom generates cryptographically random bytes used as a private key for each victim. Encrypted files have the “.GAGUP” extension appended.

RA Group’s ransomware takes several actions, including deleting the Recycle Bin contents and removing volume shadow copies using the API SHEmptyRecyclebinA and executing vssadmin.exe, respectively. Logical drives are enumerated and mounted for the encryption process, and network shares and resources are identified through APIs NetShareEnum, WNetOpenEnumW, and WNetEnumResourceW, allowing encryption of files on remotely mapped drives.