Menu
On Monday 15th of May 2023, Cisco Talos revealed a new ransomware group named ‘RA Group’ that is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.
The blog post covering the group revealed that their operation started in April 2023, when they launched a data leak site on the dark web on Sunday 22nd of April 2023 while the first batch of victimized organisations was published on Thursday 27th of April 2023.
A notable characteristic of RA Group is their encryptor is based on the leaked source code for the Babuk ransomware. An analysis of the encryptor revealed that it uses intermittent encryption to alternate between encrypting and not encrypting sections of a file to speed up the encryption of a file. Another notable characteristic of RA Group is that each attack features a custom ransom note written specifically for the targeted organization, while the executable is also named after the victim. In the ransom notes, the group claim to give victims three days before a sample of stolen data is published on extortion sites.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
