Ransomware - RA Group

RA Group (Active)
RA World
Decryptor Available

The RA Group, or RA, was first reported on by Cisco Talos in May 2023. Their report claimed that RA began operations in mid-April 2023, and the group used a custom version of the leaked Babuk encryptor. The encryption mechanism remained the same, using the HC-128 eStream symmetrical cipher to encrypt the file contents and encrypting the key with Curve25519. However, they did implement a few changes. The most obvious is the ransom note name and its contents. The other is the file extension appended to encrypted files - '.GAGUP' and '.RAWLD.' The most non-obvious change from Babuk is the implementation of intermittent file encryption, which is becoming more common to evade endpoint detections.

You may have also seen RA Group go by another name - RA World. To the layperson, RA World appears to be a derivative of RA Group. That's because of the name, obviously, but also because it uses the same encryptor and methodologies of extortion. Upon further inspection, however, the RA Group and RA World dark web data leak sites, which are different, contain the same victim list in the same order. In other words, this is the same group. It could be two different factions working under the same umbrella, but we're uncertain. We are confident these two ransomware are part of the same RA Group. Thus, this entry has included all the RA Group and RA World contents.

The group has victims in several different sectors from organizations across the globe. There's not a clear pattern of the types of organizations targeted aside from the fact that most are what most would call "Western countries." However, many victims exist in the Indo-Pacific region, including India, South Korea, Taiwan, and Thailand. Also, many victims operate in the healthcare and manufacturing wholesale sectors, but it doesn't appear that these are specifically targeted. This is another case of the leaked Babuk encryptor and other leaked or open-source encryptors being the foundation for ransomware attacks beginning in the 2020s.

Ransomware Type
Data Broker
First Seen
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Extortion Amounts
$0.50 per customer
File Extension
<file name>.<file extension>.GAGUP
<file name>.<file extension>.RAWLD
Ransom Note Name
Data breach warning.txt
How To Restore Your Files.txt
Samples (SHA-256)
Industry Sector Country Extortion Date Amount (USD)
Insurance United States
Banking & Finance United States
Retail & Wholesale United States
Healthcare & Medicine South Korea
Distribution & Logistics Taiwan
Information Technology South Korea
Insurance Thailand
Healthcare & Medicine France
Banking & Finance India
Healthcare & Medicine France
Retail & Wholesale United States
Distribution & Logistics United States
Banking & Finance India
Unknown Unknown
Automotive Taiwan
Government Germany
Manufacturing Mexico
Healthcare & Medicine United Kingdom
Chemical Taiwan
Banking & Finance Unknown
Healthcare & Medicine Poland $0.50 per customer
Automotive Germany
Healthcare & Medicine Germany
Banking & Finance United Kingdom
Healthcare & Medicine United States
Manufacturing Italy
Forestry & Lumber Germany
Retail & Wholesale Netherlands
Professional Services United Kingdom
Unknown Germany
Unknown Unknown
Unknown Unknown
Construction & Architecture Germany
Real Estate & Housing United States
Maritime United Kingdom