Saturday, October 12, 2024
HomeCyber Security NewsNew RA Hacker Group Attack Organizations in the U.S. & Threaten to...

New RA Hacker Group Attack Organizations in the U.S. & Threaten to Leak Data

Published on

Malware protection

The ‘RA Group’ is a recently emerged ransomware organization that is actively attacking the following companies in the United States and South Korea:-

  • Pharmaceutical companies
  • Insurance companies
  • Wealth management companies
  • Manufacturing companies

Cybersecurity researchers at Cisco Talos observed them employing the common ‘double-extortion’ technique by establishing a data leak website on the dark web to disclose compromised information and compel victims into paying the ransom.

RA Hacker Group

After going online on April 22nd, 2023, the ransomware group began publishing their first victims’ details on April 27th, displaying sample files, data types, and data links.

- Advertisement - SIEM as a Service

While apart from this, RA Group utilizes an encryptor derived from the leaked source code of the now-defunct Babuk ransomware.

Sentinel Labs recently disclosed that, following the leakage of Babuk ransomware source code on a Russian hacker forum in September 2021, at least nine ransomware groups had employed it to extend their attack surface to the following platforms:-

  • Linux
  • VMware ESXi

Apart from the ransomware groups identified in Sentinel Labs’ report, Cisco Talos has documented a timeline of attacks by various groups utilizing ransomware offshoots from the Babuk source code, such as:-

  • Rook
  • Night Sky
  • Pandora
  • Nokoyawa
  • Cheerscrypt
  • AstraLocker 2.0
  • ESXiArgs

RA Group distinguishes itself by employing custom ransom notes tailored for each targeted organization, along with using victim-specific executable names.

In contrast, their ransomware targets all logical drives and network shares, except for essential Windows system folders like boot and Program Files, encrypting specific directories.

RA Group employs intermittent encryption to prevent rendering the victim’s system inoperable and increase the chances of receiving ransom payments.

This risky technique alternates between encrypting and not encrypting sections of files, potentially enabling partial data recovery.

During the encryption process, RA Group’s encryptor employs the following two algorithms:-

  • curve25519
  • eSTREAM cipher hc-128

RA Group appends the “.GAGUP” file extension to encrypted files and ensures that volume shadow copies and Recycle Bin contents are deleted, making data restoration more challenging.

Ransom Payment Note

RA Group’s ransom note, named ‘How To Restore Your Files.txt,’ instructs the victim to communicate with the threat actors through the qTox messenger application to discuss the ransom payment.

In addition to providing a link to a repository with stolen files as evidence of the data breach, the ransom note specifies that if the victim does not initiate contact within three days, the RA Group will expose the stolen files of the victim.

Due to its recent emergence and limited number of victims, the methods employed by this ransomware operation to breach systems and propagate across networks remain unclear.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...