Ransomware, Threat Management

RA Group uses leaked Babuk code to attack companies in the US, South Korea

Closeup coding html and programming on screen laptop, developer

A newly discovered ransomware threat actor called the RA Group was found using leaked Babuk source code in its attacks, compromising companies in the United States and South Korea. Target industries included manufacturing, wealth management, insurance providers, and pharmaceuticals.

In a May 15 blog post, Cisco Talos said the RA Group has been launching double extortion attacks. Much like other ransomware actors, the RA Group also operates a data leak site in which it threatens to publish the data exfiltrated from victims who fail to contact them within a specified time or refuse to pay the ransom.  

The Cisco Talos researchers say the RA Group has expanded its operations at a fast clip. The group launched its data leak site on April 22 and by April 27, Cisco Talos observed the first batch of three victims, followed by a fourth on April 28. The researchers also say they observed the RA Group making cosmetic changes to the leak site after disclosing the victim’s details, which confirms they are in the early stages of the operation.

The news was significant because it follows a report last week from SentinelLabs that there’s been mounting evidence that ESXi hypervisors remain valuable targets for ransomware groups and that the leak of Babuk source code in September 2021 offered unprecedented insight for threat actors into the development operations of an organized ransomware group.

Cisco Talos on May 15 compiled a timeline of these attacks conducted by different actors using ransomware families that branched off the leaked Babuk source code.

The Babuk-leaked ransomware has sprouted into several customized families of malicious code, said Timothy Morris, chief security advisor at Tanium. Morris said it exploits several known vulnerabilities within software, including Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, and Liferay, interrupting backups and deleting volume shadow copies.

“It’s important that organizations have a robust vulnerability program and patch frequently,” said Morris. “The preventions are the same. Know your environment and what you look like to an attacker. This includes inventory of hardware, software, and the versions. Keep EDR and network inspection tools up-to-date that consistently monitor IOCs and behaviors.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.