The freshly minted ransomware gang is customizing leaked Babuk source code to go after cyber targets in the US and South Korea — and it's expanding its operations quickly.

stylized computer component with padlock
Source: JLStock via Shutterstock

A newly discovered ransomware gang dubbed RA Group is ramping up its cyberattacks — the latest in a line of threat actors leveraging the leaked Babuk source code. The group distinguishes itself from the rest of the Babuk pack, however, with a highly customized approach.

According to an analysis from Cisco Talos this week, RA Group opened shop on April 22 and has been rapidly expanding its operations ever since. So far, it's gone after organizations in the US and South Korea in the manufacturing, wealth management, insurance, and pharmaceutical industries.

By way of background, the full source code for the Babuk ransomware was leaked online in September 2021, and since then several new threat actors have used it to go into the ransomware business. In particular, several have used it to develop lockers for VMware ESXi hypervisors — over the past year, 10 different ransomware families have gone that route.

Others have customized the code in other ways, taking advantage of the fact that it is built to exploit several known vulnerabilities, including those found in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and others.

"By reusing code written by others and leaked, these groups are reducing their development time significantly and possibly even incorporating features they would otherwise have been unable to create themselves," Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment. 

He added, "In the last few years, especially after ransomware-as-a-service (RaaS) offerings became popular, it's become very clear that you do not have to be a technical marvel to play in the cybercrime and extortion game. Simply using other people's code, through a subscription or through leaks such as this, with minor modifications can get just about anyone equipped to carry out attacks."

RA Group's Unique Take on Babuk

In RA Group's case, it's using a typical double-extortion model in which it threatens to leak exfiltrated data if the victim doesn't pay the ransom; however, according to the ransom note, victims have just three days to pay up.

That's not the only tweak to known playbooks the group is employing. "In their leak site, RA Group discloses the name of the victim's organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites," according to Cisco Talos' analysis of the ransomware group. But in a twist, the "RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site."

Despite the RA Group's spin on ransomware, the basics remain effective when it comes to defending against the threat: Organizations should make sure their environments are patched and up to date, continually monitor their networks for any signs of malicious activity (and ensure their security tools are updated with the latest indicators of compromise), and ensure they have effective backup and recovery procedures in place in the event of a successful attack.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights