RA Ransomware Group Emerges With Custom Spin on Babuk

A newly discovered ransomware gang dubbed RA Group is ramping up its cyberattacks — the latest in a line of threat actors leveraging the leaked Babuk source code. The group distinguishes itself from the rest of the Babuk pack, however, with a highly customized approach.

According to an analysis from Cisco Talos this week, RA Group opened shop on April 22 and has been rapidly expanding its operations ever since. So far, it's gone after organizations in the US and South Korea in the manufacturing, wealth management, insurance, and pharmaceutical industries.

By way of background, the full source code for the Babuk ransomware was leaked online in September 2021, and since then several new threat actors have used it to go into the ransomware business. In particular, several have used it to develop lockers for VMware ESXi hypervisors — over the past year, 10 different ransomware families have gone that route.

Others have customized the code in other ways, taking advantage of the fact that it is built to exploit several known vulnerabilities, including those found in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and others.

"By reusing code written by others and leaked, these groups are reducing their development time significantly and possibly even incorporating features they would otherwise have been unable to create themselves," Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment. 

He added, "In the last few years, especially after ransomware-as-a-service (RaaS) offerings became popular, it's become very clear that you do not have to be a technical marvel to play in the cybercrime and extortion game. Simply using other people's code, through a subscription or through leaks such as this, with minor modifications can get just about anyone equipped to carry out attacks."

RA Group's Unique Take on Babuk

In RA Group's case, it's using a typical double-extortion model in which it threatens to leak exfiltrated data if the victim doesn't pay the ransom; however, according to the ransom note, victims have just three days to pay up.

That's not the only tweak to known playbooks the group is employing. "In their leak site, RA Group discloses the name of the victim's organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites," according to Cisco Talos' analysis of the ransomware group. But in a twist, the "RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site."

Despite the RA Group's spin on ransomware, the basics remain effective when it comes to defending against the threat: Organizations should make sure their environments are patched and up to date, continually monitor their networks for any signs of malicious activity (and ensure their security tools are updated with the latest indicators of compromise), and ensure they have effective backup and recovery procedures in place in the event of a successful attack.