Ransomware - RA Group

RA Group (Active)
Aliases
RA
RA World
Decryptor Available
No
Description

The RA Group, or RA, was first reported on by Cisco Talos in May 2023. Their report claimed that RA began operations in mid-April 2023, and the group used a custom version of the leaked Babuk encryptor. The encryption mechanism remained the same, using the HC-128 eStream symmetrical cipher to encrypt the file contents and encrypting the key with Curve25519. However, they did implement a few changes. The most obvious is the ransom note name and its contents. The other is the file extension appended to encrypted files - '.GAGUP' and '.RAWLD.' The most non-obvious change from Babuk is the implementation of intermittent file encryption, which is becoming more common to evade endpoint detections.

You may have also seen RA Group go by another name - RA World. To the layperson, RA World appears to be a derivative of RA Group. That's because of the name, obviously, but also because it uses the same encryptor and methodologies of extortion. Upon further inspection, however, the RA Group and RA World dark web data leak sites, which are different, contain the same victim list in the same order. In other words, this is the same group. It could be two different factions working under the same umbrella, but we're uncertain. We are confident these two ransomware are part of the same RA Group. Thus, this entry has included all the RA Group and RA World contents.

The group has victims in several different sectors from organizations across the globe. There's not a clear pattern of the types of organizations targeted aside from the fact that most are what most would call "Western countries." However, many victims exist in the Indo-Pacific region, including India, South Korea, Taiwan, and Thailand. Also, many victims operate in the healthcare and manufacturing wholesale sectors, but it doesn't appear that these are specifically targeted. This is another case of the leaked Babuk encryptor and other leaked or open-source encryptors being the foundation for ransomware attacks beginning in the 2020s.

Ransomware Type
Crypto-Ransomware
Data Broker
HumOR
First Seen
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Extortion Amounts
Amount
$0.50 per customer
Communication
Medium
Identifier
Telegram
Tox
Tox
Encryption
Type
Hybrid
Files
HC-128
Key
Curve25519
File Extension
<file name>.<file extension>.GAGUP
<file name>.<file extension>.RAWLD
Ransom Note Name
Data breach warning.txt
How To Restore Your Files.txt
Samples (SHA-256)
3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e
4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801
9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de
Industry Sector Country Extortion Date Amount (USD)
Insurance United States
Banking & Finance United States
Retail & Wholesale United States
Healthcare & Medicine South Korea
Distribution & Logistics Taiwan
Information Technology South Korea
Insurance Thailand
Healthcare & Medicine France
Banking & Finance India
Healthcare & Medicine France
Retail & Wholesale United States
Banking & Finance India
Distribution & Logistics United States
Banking & Finance India
Automotive Taiwan
Government Germany
Healthcare & Medicine United Kingdom
Chemical Taiwan
Manufacturing Mexico
Healthcare & Medicine Poland $0.50 per customer
Automotive Germany
Healthcare & Medicine Germany
Banking & Finance United Kingdom
Healthcare & Medicine United States
Manufacturing Italy