RA Group Hacks Businesses Using Stolen Babuk Source-Code

By   Olivia William
Writer , Information Security Buzz | May 16, 2023 03:48 am PST

The ransomware attacks of the recently identified RA Group, the latest threat actor to use the stolen Babuk code, have increased in frequency and severity. Their specialized technique sets them apart from the rest of the Babuk tribe.

This week, Cisco Talos released an investigation claiming that RA Group had launched on April 22 and had since expanded significantly. So far, it has targeted manufacturing, wealth management, insurance, and pharmaceutical firms in the United States and South Korea.

To give some context, in September 2021, the complete source code for the Babuk ransomware was released online, and since then, multiple new threat actors have exploited it to enter the ransomware business. Over the past year, ten distinct ransomware families have taken advantage of this vulnerability to create lockers for VMware ESXi hypervisors.

Some have modified the code to exploit vulnerabilities in software such as Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, etc.

“By reusing code done by others and leaked, these groups are significantly reducing their development time and possibly incorporating features they would otherwise be unable to create themselves,” Erich Kron, security awareness advocate at KnowBe4, stated in an email response. 

He continued, “It’s become very evident that you do not have to be a technological wonder to engage in the cybercrime and extortion game in recent years, especially once ransomware-as-a-service (RaaS) products became popular. Anyone can launch assaults with minimal training if they gain access to other people’s code through a subscription or leaks like these.

The RA Group’s Original Approach To Babuk

The ransom message from RA Group gives victims only three days to pay the ransom before the stolen data is leaked publicly. This is a common double-extortion model.

That isn’t the only deviation from the standard operating procedure that the group is making. According to Cisco Talos’ investigation of the ransomware group, “in their leak site, RA Group discloses the name of the victim’s organization, a list of their exfiltrated data and the total size,” which is standard practice for ransomware groups. However, there’s a twist: “RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site.”

Organizations should ensure their environments are patched and up to date, continuously monitor their networks for any signs of malicious activity (and ensure their security tools are updated with the latest indicators of compromise), and ensure they have effective backup and recovery procedures in place in the event of a successful attack, despite the RA Group’s spin on ransomware.


The RA Group, a recently identified ransomware threat actor, was revealed to have compromised businesses in the US and KR by leveraging stolen Babuk code. The manufacturing sector, the wealth management sector, insurance companies, and the pharmaceutical industry were all targeted. Cisco Talos reported double extortion attacks by the RA Group on May 15 in a blog post. When victims don’t respond or don’t pay the extortion, the RA Group, like other ransomware attackers, threatens to publish the data exfiltrated from them on a data leak site.  

Cisco Talos has found evidence that the RA Group has rapidly expanded its operations. On April 22, the gang unveiled its data leak site, and by April 27, Cisco Talos had spotted the first batch of victims. Researchers also claim to have witnessed the RA Group making cosmetic adjustments to the leak site after the victim’s details were made public, providing more evidence that the operation is still in its infancy. This is big news because it corroborate with a report from SentinelLabs that came out last week, which stated that ransomware groups continue to find ESXi hypervisors to be valuable targets.