New RA Group ransomware targets U.S. orgs in double-extortion attacks

Cyber Security Threat Summary:
“A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs. While the extortion portal was launched on April 22nd, 2023, the first batch of victimized organizations was published on April 27th, including sample files, a description of the type of content that was stolen, and links to stolen data” (Bleeping Computer, 2023).

According to researchers at Cisco Talks, RA encryptor is based on leaked source code for the Babuk ransomare group which shut down its operations in 2021. RA is not the first ransomare to base its encryptor off Babuk’s source code. Since the source code was leaked on September 2021, several ransomeware strains have emerged including Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, and ESXiArgs among many others.

Security Officer Comments:
For its part, RA ransomare is designed to target all logical drives on the victim's system and network shares. Once deployed the ransomare will start to encrypt (using curve25519 and eSTREAM cipher hc-128 algorithms) the victim's folders while excluding Windows system boot, and program files, as doing so will render the system inoperable.

“RA Group's encryptor uses intermittent encryption, which is to alternative between encrypting and not encrypting sections of a file to speed up the encryption of a file. However, this approach can be risky as it allows some data to be partially recovered from files” (Bleeping Computer, 2023).

Upon successful encryption, the files are appended the .GAGUP extension. At the same time, a ransom note is left behind on the system named “How To Restore Your Files.txt” which including instructions for how victims can negotiate ransom payments to receive a decryptor key. Victims are given three days to pay up the ransom demanded. Or else, the group will leak the stolen data on extortion sites which are accessible to the public.

To make recovery difficult, the malware will delete all volume shadow copies and files in the Recycle Bin.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems. Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com/