“Babuk Strikes Again: US and Korea Hit by New Ransomware Attack”

RA Group, an emerging ransomware gang, has been targeting organizations in the United States and South Korea. They have developed a new ransomware family that’s based on leaked Babuk source code. According to Cisco’s Talos research unit, RA Group has already breached four organizations; one in South Korea and three in the United States, primarily in the insurance, manufacturing, pharmaceuticals, and wealth management sectors. Like other ransomware groups, RA Group exfiltrates the victim data and threatens to release it online unless a ransom is paid. The group launched a leaks site on April 22, where they listed four victim organizations and the exfiltrated data with URLs to download the same. The ransomware technique used by RA Group shows overlaps with the leaked Babuk source code, and it appends “.GAGUP” extension to all encrypted files. RA Group’s ransomware deletes all data in Recycle Bin and volume shadow copies. Additionally, before the encryption process begins, the malware takes note of all logical drives, network shares, and accessible network resources to encrypt the files on remotely mapped drives. In the ransom note, RA Group informs the victims that their data will be leaked online in less than three days unless the ransom is paid in full. To validate that the data had been exfiltrated, each note contains a custom link for the victims.

In September 2021, the Babuk source code was leaked, and since then, RA Group’s ransomware is the latest discovered with sources based on the said leaked code. Although the initial leak of the Babuk code allowed several ransomware actors to launch their variants, RA Group’s entry is unique since they began operations only this April. The ‘responsible disclosure’ approach used by RA Group indicates they have been planning and developing their ransomware for a while.

SentinelOne revealed last week that aside from the standard ransomware, the Babuk source code became the breeding ground for 10 ransomware families, exclusively targeting VMware ESXi servers. However, the ESXiArgs locker caused significant issues earlier this year, and SentinelOne believes it doesn’t show any links to Babuk. However, Talos argues that the two are related, and the examples of previously observed ransomware attacks on ESXi servers are evidence of this fact.

The increasing numbers of ransomware attacks in recent years have made cybersecurity an essential issue for organizations worldwide. With critical data ranging from insider information, corporate strategies to customer identities being stolen by ransomware actors, experts recommend rigorous cybersecurity protocols. Organizations should use security measures that identify threats to their network and take comprehensive security measures to ensure that ransomware threats don’t become a significant problem for them.

Ransomware–cybersecurity,ransomware,Babuk,UnitedStates,Korea