View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

New RA ransomware gang attacks four companies in less than a month

RA is the latest criminal gang to appropriate the leaked Babuk source code to build its own malware.

By Claudia Glover

Leaked source code from cybercriminal gang Babuk continues to wreak havoc, with a new ransomware gang, RA, using it to launch cyberattacks. RA has built malware based on Babuk’s code and used it to steal 2.5 terabytes of data from four victim companies in the US and South Korea. 

RA Ransomware
RA ransomware has struck four companies in less than a month. (Photo by ROB ENGELAAR/ANP/AFP via Getty Images)

RA was first spotted in April, and has already racked up a list of victims according to a report released today by security company Cisco Talos.

RA ransomware gang attacks four companies

The Cisco Talos research says: “RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28.

“We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.” 

The cybercrime group employs the same tactics as other ransomware gangs, using double extortion to press the victims into paying. This is where a criminal will exfiltrate data from a system before encrypting it so they can blackmail them into paying the ransom as well as charging them for the decryption key.

Victims are also posted onto a dark web blog to leverage the threat of data being released.

The gang is a little more ruthless than most, selling the data after three days, according to the ransom note published in the report: “Your data has been encrypted when you read this letter. We have copied all data onto our server, but don’t worry, your data will not be compromised or made public if you do not want,” it says. Typically criminals give their victims weeks or months to pay up.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“We took your data and encrypted your servers,” it continues. “Contact us, pay for decryption. If there is no contact within three days, we will make the sample file public. If there is no contact within seven days, we will make the file public. Do not contact us through other companies, they just earn the difference.”

The victims have not yet been disclosed. However, Tech Monitor understands that the American targets include an electronics supplier servicing the computer, communication, aerospace, marine and military industries. The others are a financial services company and a smaller organisation in the insurance industry. 

The South Korean target was another larger company that spread across several business verticals including manufacturing, wealth management, insurance providers and pharmaceuticals, the report reveals.

It is not known if any of the victims have paid a ransom.

Babuk ransomware source code used in RA’s malware

RA is the latest gang to build on the Babuk source code leak, that was published online by a malicious insider of the group in September 2021. It has been used by numerous groups including RTM Locker and the now notorious ESXIArgs, which implemented a full-blown cybercrime wave of more than 3,000 victims at the beginning of this year. 

The authors of the Cisco Talos report have explained why they think the source code is the same. “Our analysis shows that RA Group’s ransomware sample is written in C++ and was compiled on April 23, 2023,” they wrote. “The binary has the debug path ‘C:\Users\attack\Desktop\Ransomware.Multi.Babuk.c\windows\x64\Release\e.pdb’.”

The report adds: “It contains the same mutex name as the Babuk ransomware, supporting our high-confidence assessment that RA Group built their ransomware using Babuk’s leaked source code.”

Read more: ABB ‘suffers cyberattack’ from Black Basta ransomware gang

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.