The RA Group, or RA, was first reported on by Cisco Talos in May 2023. Their report claimed that RA began operations in mid-April 2023, and the group used a custom version of the leaked Babuk encryptor. The encryption mechanism remained the same, using the HC-128 eStream symmetrical cipher to encrypt the file contents and encrypting the key with Curve25519. However, they did implement a few changes. The most obvious is the ransom note name and its contents. The other is the file extension appended to encrypted files - '.GAGUP' and '.RAWLD.' The most non-obvious change from Babuk is the implementation of intermittent file encryption, which is becoming more common to evade endpoint detections.
You may have also seen RA Group go by another name - RA World. To the layperson, RA World appears to be a derivative of RA Group. That's because of the name, obviously, but also because it uses the same encryptor and methodologies of extortion. Upon further inspection, however, the RA Group and RA World dark web data leak sites, which are different, contain the same victim list in the same order. In other words, this is the same group. It could be two different factions working under the same umbrella, but we're uncertain. We are confident these two ransomware are part of the same RA Group. Thus, this entry has included all the RA Group and RA World contents.
The group has victims in several different sectors from organizations across the globe. There's not a clear pattern of the types of organizations targeted aside from the fact that most are what most would call "Western countries." However, many victims exist in the Indo-Pacific region, including India, South Korea, Taiwan, and Thailand. Also, many victims operate in the healthcare and manufacturing wholesale sectors, but it doesn't appear that these are specifically targeted. This is another case of the leaked Babuk encryptor and other leaked or open-source encryptors being the foundation for ransomware attacks beginning in the 2020s.
Known Victims(35)
| Industry Sector | Paese | Extortion Date | Amount (USD) |
|---|---|---|---|
| Insurance | United States | ||
| Banking & Finance | United States | ||
| Retail & Wholesale | United States | ||
| Healthcare & Medicine | South Korea | ||
| Distribution & Logistics | Taiwan | ||
| Information Technology | South Korea | ||
| Insurance | Thailand | ||
| Healthcare & Medicine | France | ||
| Banking & Finance | India | ||
| Healthcare & Medicine | France | ||
| Retail & Wholesale | United States | ||
| Distribution & Logistics | United States | ||
| Banking & Finance | India | ||
| Unknown | Unknown | ||
| Automotive | Taiwan | ||
| Government | Germany | ||
| Manufacturing | Mexico | ||
| Healthcare & Medicine | United Kingdom | ||
| Chemical | Taiwan | ||
| Banking & Finance | Unknown | ||
| Healthcare & Medicine | Poland | $0.50 per customer | |
| Automotive | Germany | ||
| Healthcare & Medicine | Germany | ||
| Banking & Finance | United Kingdom | ||
| Healthcare & Medicine | United States | ||
| Manufacturing | Italy | ||
| Forestry & Lumber | Germany | ||
| Retail & Wholesale | Netherlands | ||
| Professional Services | United Kingdom | ||
| Unknown | Germany | ||
| Unknown | Unknown | ||
| Unknown | Unknown | ||
| Construction & Architecture | Germany | ||
| Real Estate & Housing | United States | ||
| Maritime | United Kingdom |