Ransomware - RA Group

RA Group (Active)
Aliases
RA
RA World
Decryptor Available
No
Description

The RA Group, or RA, was first reported on by Cisco Talos in May 2023. Their report claimed that RA began operations in mid-April 2023, and the group used a custom version of the leaked Babuk encryptor. The encryption mechanism remained the same, using the HC-128 eStream symmetrical cipher to encrypt the file contents and encrypting the key with Curve25519. However, they did implement a few changes. The most obvious is the ransom note name and its contents. The other is the file extension appended to encrypted files - '.GAGUP' and '.RAWLD.' The most non-obvious change from Babuk is the implementation of intermittent file encryption, which is becoming more common to evade endpoint detections.

You may have also seen RA Group go by another name - RA World. To the layperson, RA World appears to be a derivative of RA Group. That's because of the name, obviously, but also because it uses the same encryptor and methodologies of extortion. Upon further inspection, however, the RA Group and RA World dark web data leak sites, which are different, contain the same victim list in the same order. In other words, this is the same group. It could be two different factions working under the same umbrella, but we're uncertain. We are confident these two ransomware are part of the same RA Group. Thus, this entry has included all the RA Group and RA World contents.

The group has victims in several different sectors from organizations across the globe. There's not a clear pattern of the types of organizations targeted aside from the fact that most are what most would call "Western countries." However, many victims exist in the Indo-Pacific region, including India, South Korea, Taiwan, and Thailand. Also, many victims operate in the healthcare and manufacturing wholesale sectors, but it doesn't appear that these are specifically targeted. This is another case of the leaked Babuk encryptor and other leaked or open-source encryptors being the foundation for ransomware attacks beginning in the 2020s.

Ransomware Type
Crypto-Ransomware
Data Broker
HumOR
First Seen
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Extortion Amounts
Amount
$0.50 per customer
Communication
Médio
Identificador
Telegram
Tox
Tox
Encryption
Type
Hybrid
Files
HC-128
Key
Curve25519
File Extension
<file name>.<file extension>.GAGUP
<file name>.<file extension>.RAWLD
Ransom Note Name
Data breach warning.txt
How To Restore Your Files.txt
Samples (SHA-256)
3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e
4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801
9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de
Industry Sector País Extortion Date Amount (USD)
InsuranceUnited States
Banking & FinanceUnited States
Retail & WholesaleUnited States
Healthcare & MedicineSouth Korea
Distribution & LogisticsTaiwan
Information TechnologySouth Korea
InsuranceThailand
Healthcare & MedicineFrance
Banking & FinanceIndia
Healthcare & MedicineFrance
Retail & WholesaleUnited States
Distribution & LogisticsUnited States
Banking & FinanceIndia
UnknownUnknown
AutomotiveTaiwan
GovernmentGermany
ManufacturingMexico
Healthcare & MedicineUnited Kingdom
ChemicalTaiwan
Banking & FinanceUnknown
Healthcare & MedicinePoland $0.50 per customer
AutomotiveGermany
Healthcare & MedicineGermany
Banking & FinanceUnited Kingdom
Healthcare & MedicineUnited States
ManufacturingItaly
Forestry & LumberGermany
Retail & WholesaleNetherlands
Professional ServicesUnited Kingdom
UnknownGermany
UnknownUnknown
UnknownUnknown
Construction & ArchitectureGermany
Real Estate & HousingUnited States
MaritimeUnited Kingdom