RA Ransomware Group Emerges With Custom Spin on Babuk

  /     /     /  
Publicated : 23/11/2024   Category : security


RA Ransomware Group Emerges With Custom Spin on Babuk


The freshly minted ransomware gang is customizing leaked Babuk source code to go after cyber targets in the US and South Korea — and its expanding its operations quickly.



A newly discovered ransomware gang dubbed RA Group is ramping up its cyberattacks — the latest in a line of threat actors leveraging the leaked Babuk source code. The group distinguishes itself from the rest of the Babuk pack, however, with a highly customized approach.
According to an analysis from Cisco Talos this week, RA Group opened shop on April 22 and has been rapidly expanding its operations ever since. So far, its gone after organizations in the US and South Korea in the manufacturing, wealth management, insurance, and pharmaceutical industries.
By way of background, the
full source code for the Babuk ransomware
was leaked online in September 2021, and since then several new threat actors have used it to go into the ransomware business. In particular, several have used it to develop lockers for VMware ESXi hypervisors — over the past year,
10 different ransomware families
have gone that route.
Others have customized the code in other ways, taking advantage of the fact that it is built to exploit several known vulnerabilities, including those found in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and others.
By reusing code written by others and leaked, these groups are reducing their development time significantly and possibly even incorporating features they would otherwise have been unable to create themselves, Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment. 
He added, In the last few years, especially after ransomware-as-a-service (RaaS) offerings became popular, its become very clear that you do not have to be a technical marvel to play in the cybercrime and extortion game. Simply using other peoples code, through a subscription or through leaks such as this, with minor modifications can get just about anyone equipped to carry out attacks.
In RA Groups case, its using a typical
double-extortion model
in which it threatens to leak exfiltrated data if the victim doesnt pay the ransom; however, according to the ransom note, victims have just three days to pay up.
Thats not the only tweak to known playbooks the group is employing. In their leak site, RA Group discloses the name of the victims organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites, according to Cisco Talos analysis of the ransomware group. But in a twist, the RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site.
Despite the RA Groups spin on ransomware, the basics remain effective when it comes to defending against the threat: Organizations should make sure their environments are patched and up to date, continually monitor their networks for any signs of malicious activity (and ensure their security tools are updated with the latest indicators of compromise), and ensure they have
effective backup and recovery procedures in place
in the event of a successful attack.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
RA Ransomware Group Emerges With Custom Spin on Babuk