Leaked source code from cybercriminal gang Babuk continues to wreak havoc, with a new ransomware gang, RA, using it to launch cyberattacks. RA has built malware based on Babuk’s code and used it to steal 2.5 terabytes of data from four victim companies in the US and South Korea.
RA was first spotted in April, and has already racked up a list of victims according to a report released today by security company Cisco Talos.
RA ransomware gang attacks four companies
The Cisco Talos research says: “RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28.
“We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.”
The cybercrime group employs the same tactics as other ransomware gangs, using double extortion to press the victims into paying. This is where a criminal will exfiltrate data from a system before encrypting it so they can blackmail them into paying the ransom as well as charging them for the decryption key.
Victims are also posted onto a dark web blog to leverage the threat of data being released.
The gang is a little more ruthless than most, selling the data after three days, according to the ransom note published in the report: “Your data has been encrypted when you read this letter. We have copied all data onto our server, but don’t worry, your data will not be compromised or made public if you do not want,” it says. Typically criminals give their victims weeks or months to pay up.
“We took your data and encrypted your servers,” it continues. “Contact us, pay for decryption. If there is no contact within three days, we will make the sample file public. If there is no contact within seven days, we will make the file public. Do not contact us through other companies, they just earn the difference.”
The victims have not yet been disclosed. However, Tech Monitor understands that the American targets include an electronics supplier servicing the computer, communication, aerospace, marine and military industries. The others are a financial services company and a smaller organisation in the insurance industry.
The South Korean target was another larger company that spread across several business verticals including manufacturing, wealth management, insurance providers and pharmaceuticals, the report reveals.
It is not known if any of the victims have paid a ransom.
Babuk ransomware source code used in RA’s malware
RA is the latest gang to build on the Babuk source code leak, that was published online by a malicious insider of the group in September 2021. It has been used by numerous groups including RTM Locker and the now notorious ESXIArgs, which implemented a full-blown cybercrime wave of more than 3,000 victims at the beginning of this year.
The authors of the Cisco Talos report have explained why they think the source code is the same. “Our analysis shows that RA Group’s ransomware sample is written in C++ and was compiled on April 23, 2023,” they wrote. “The binary has the debug path ‘C:\Users\attack\Desktop\Ransomware.Multi.Babuk.c\windows\x64\Release\e.pdb’.”
The report adds: “It contains the same mutex name as the Babuk ransomware, supporting our high-confidence assessment that RA Group built their ransomware using Babuk’s leaked source code.”