RA Group steals 2.5TB of data in under a month in ransomware attacks

A new ransomware group calling itself “RA Group” has emerged online and claims to have stolen 2.5 terabytes of data from its victims. The group is using the Babuk ransomware source code, which was leaked online in September 2021.

Who is RA Group?

Cisco Talos researchers first observed RA Group cybercriminal operations on April 22, 2023. The group has already claimed to have stolen 2.5 terabytes of data from just four victims. Three victims are known to be within the United States and one in South Korea.

The RA Group victims are across several business verticals, including manufacturing, wealth management, insurance and pharmaceuticals, according to Cisco Talos.

The Babuk ransomware services advertise on both English-speaking and Russian-speaking forums, where it seems the former is used for announcements and the latter is focused on affiliate recruitment and ransomware updates.

The RA Group website has undergone cosmetic changes since it was first published, which Cisco Talos researchers say “confirms they are in the early stages of their operation.”

RA GROUP leak website, where victims' data is hosted and available for sale on a secured Tor site. (Source: Cisco Talos)
The RA Group leak website, where victims’ data is hosted and available for sale on a secured Tor site. (Source: Cisco Talos)
A sample ransomware note intended for a RA Group victim listing data it has stolen and the group's demands. Source Cisco Talos
A sample ransomware note intended for a RA Group victim listing data it has stolen and the group’s demands. (Source: Cisco Talos)

The group uses custom ransom notes for each victim that informs them they have three days to pay before a sample of the stolen data is published, and seven days before the complete data set is published. Victim entity names are also hardcoded into the executable files, a characteristic the researchers describe as “unusual” for ransomware groups.

RA Group uses customized Babuk ransomware source code

RA Group is the latest in a long line of ransomware groups to use the Babuk source code. But, they appear to use a customized variant of the Babuk source code.

Talos has detected that RA Group uses a built-in ransomware note specifically written to each victim with their name on it, and names the victim in the executable as well.

Talos researchers confirm that RA Group’s ransomware sample is written in C++ and was compiled on April 23, 2023. Binary debug paths match the same mutex name as the Babuk ransomware, supporting Talos’ “high-confidence assessment that RA Group built their ransomware using Babuk’s leaked source code.”

RA Group’s code showing the mutex name is the same as that of Babuk ransomware.
RA Group’s code showing the mutex name is the same as that of Babuk ransomware. (Source: Cisco Talos)

Ten unique ransomware families are leveraging Babuk ransomware code today according to Talos. Just two months after the code was leaked, Talos identified a group called “Tortillia” using it to target Microsoft Exchange servers in multiple countries.

Last week, SentinelLabs researchers reported identifying the same 10 distinct ransomware families deploying VMware ESXi hypervisor lockers based on the leaked Babuk code.

The rise of ransomware groups using the Babuk source code is a worrying trend. It shows that even though the code was leaked over a year ago, it is still used by cybercriminals to target businesses and individuals.

Babuk ransomware is allegedly co-developed by Mikhail Pavlovich Matveev, a Russian national charged with carrying out multiple ransomware attacks. The Department of Justice and FBI have unsealed an indictment against Matveev for targeting law enforcement agencies and New Jersey county municipalities with ransomware attacks using Babuk, Hive and LockBit ransomware code.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.