HQ/EMEAFind out how we can help your business
The newly discovered ransomware operation from the RA Group has been targeting different United States and South Korean organisations. Some targeted firms are from the insurance, finance management, manufacturing, and pharmaceutical sectors.
According to researchers, the RA Group employs an encryptor based on the leaked source code of Babuk ransomware. The ransomware was a recent shutdown operation a couple of years ago.
The unique characteristic of the RA Group is that it includes a custom ransom note coded specifically for the targeted company in its every attack. At the same time, the executable’s name is also named after the victim.
The ransomware campaign targets all logical drives on the targeted device and network shares and will try to encrypt folders except those related to the Windows system, program files, and Windows system.
This technique allows the attackers to avoid damaging the victim’s system making it unusable since the victim could not pay the ransom demands without the machine.
The RA Group uses a risky technique that could lead to data recovery.
The RA Group uses an intermittent encryptor, an alternative between encrypting and not encrypting portions of an archive to hasten the encryption process. However, the group’s chosen technique is a gamble since it allows some information to be partially recovered from files.
The threat actors use the curve25519 and eSTREAM cypher hc-128 algorithms when encrypting data. Subsequently, the attackers will append the [.]GAGUP file extension to every encrypted file. On the other hand, the threat actors wipe all volume shadow copies and Recycle Bin contents to prevent data restoration.
The attack then drops a ransom note dubbed ‘How To Restore Your Files[.]txt’ and prompts the victim to utilise qTox messenger to communicate and negotiate with the attackers. Furthermore, the ransom note contains a link to a repository with files stolen from the victims as proof of the infiltration.
Lastly, the adversaries will give their victims three days before they release a sample of the stolen data to their extortion sites. However, researchers believe that the ransomware attack is an open negotiation.
Researchers still do not know how the threat actors breached the systems and propagated across the networks since it is a relatively new ransomware operation.
