TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: A new ransomware group is using leaked code from the now-defunct Babuk gang to attack organizations. Researchers from the threat intelligence outfit Cisco Talos said in a report (weblink below), the company recently discovered the gang, named RA Group, which has been operating since at least April 2023. Since then, the group has attacked at least three companies in the U.S. and South Korea involved in manufacturing, pharmaceuticals and more. Analysis of the group’s ransomware shows they are leveraging source code from Babuk, a ransomware gang whose source code leaked online in 2021. Since then, dozens of groups have used it to develop their own brand of ransomware.
Cisco Talos Report: hxxps://blog.talosintelligence[.]com/ra-group-ransomware/
NYSIC CAU Analyst Note: The RA Group launched its data leak site on April 22 and added its first victims at the end of the month. Since then, the group has continually updated the leak site with cosmetic changes. Like most leak sites, victim names and URLs are listed alongside an itemized list of the stolen data, which is also being offered for sale. The group customizes its ransom notes and only gives victims three days to respond to the hackers or their data will be leaked. Encrypted files are appended with the file extension “. GAGUP” and the ransomware deletes all contents of the victim’s trash. The ransomware does not encrypt all of a victim’s files and folders, leaving some folders the malware won’t encrypt so the victim can contact the RA Group operators.
Sources:
hxxps://www.bleepingcomputer[.]com/news/security/new-ra-group-ransomware-targets-us-orgs-in-double-extortion-attacks/
hxxps://thehackernews[.]com/2023/05/new-ransomware-gang-ra-group-hits-us.html
hxxps://www.scmagazine[.]com/news/ransomware/ra-group-uses-leaked-babuk-code-attack-companies-us-south-korea
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.