Fraud Management & Cybercrime , Ransomware

RA Group Using Babuk Ransomware Source Code in Fresh Attacks

New Ransomware Gang Attacked 4 US and Korean Organizations in April
RA Group Using Babuk Ransomware Source Code in Fresh Attacks

Security researchers say a new Babuk knockoff ransomware group emerged in April and has already claimed targets in the United States and South Korea.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Threat intelligence company Cisco Talos said RA Group is the latest criminal group to take advantage of the mysterious June 2021 leak of Babuk builder source code onto VirusTotal. Babuk has since appeared inactive. U.S. federal prosecutors on Tuesday unsealed an indictment against a key figure in the group, Russian hacker Mikhail Matveev, aka "Wazawaka" (see: Alleged Babuk Ransomware Hacker 'Wazawaka' Indicted in US).

Cisco Talos says it can match Babuk's code to RA Group ransomware in part because both programs contain the same mutex name - that is, the same name for a program object that prevents a section of code from being executed simultaneously by the computer's central processor. Other groups that have recycled Babuk code include Rook, Night Sky, ESXiAgs and RTM Locker (see: RTM Locker RaaS Group Turns to Linux, NAS and ESXi Hosts).

Though the group uses Babuk source code, Talos said it also customizes it by naming the victim in the executable. RA Group infections also come with a built-in, tailored ransom note. It appends .gagup to encrypted files.

The group's dark web leak site so far displays only four victims - three based in the U.S. and one in Korea. It claims all victims received the ransomware within a two-day period ending April 28.

RA Group currently states that it is leaking data from a Seoul-based biopharmaceutical firm a little bit at a time over the course of a year and says the group will "try to sell the data in the meantime."

RA Group also claims to have extorted a U.S. hardware and parts distributor, a wealth management company and an insurance broker.

Talos said the hacking group has been giving victims three days to initiate contact, after which it leaks files.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.