Code

Leaked Babuk ransomware builder code lives on as RA Group

The bones of long gone ransomware group Babuk continue to rattle in the breeze, in the form of reused code. Researchers from Cisco Talos have named this new team the “RA Group”, a ransomware collective which may have only been up and running since last month.

Babuk famously threatened to leak law enforcement data, relented, and then had its ransomware builder tool leaked during the weirdest retirement ever. While some of these antics may sound faintly comical, the ransomware was no joke. Babuk popped up in all sorts of attacks, like being deployed via Microsoft Exchange exploits. Babuk code has also been reused prior to this latest group, for example as the basis for Rook ransomware at the end of 2021.

The leaked builder has proven to be very useful for those in the ransomware realm, and people wanting to get in on the act. Its versatility and relative ease of use ensures that—sadly—we’ll likely be seeing Babuk lurking at the edges of ransomware development for a long time to come.

Our latest Babuk beneficiary, the RA Group, already has four known compromises in the US and South Korea. According to Talos, like many other forms of ransomware, the attacks are based around double extortion tactics. This is where the target isn’t just stuck with encrypted, inaccessible files, they’re also threatened with the stolen data being leaked should the ransom not be paid.

In this case, RA Group is sticking with the tried and tested leak portal technique. Watching confidential information be spilled across the internet for download is certainly one way to encourage a business to pay up, and an effective tactic. Talos reports that the main leak site is undergoing various cosmetic tweaks and alterations, confirming the impression that this is all very new indeed.

RA Group Leak site

If you’re unfortunate enough to end up on the leak portal, your details are organised like so:

  • Organisation name
  • A list of stolen data / file size
  • Organisation URL

Customised ransom notes are used for compromised entities, with three days given to pay up or risk the data being made public. When the three day mark is reached, “sample files” are made public. After 7 days, everything goes public.

A list of the stolen data is also provided in the ransom note, which isn’t something you see all the time. There’s no better way to show you mean business than explain exactly what you’ve done to supplier, tax, and financial information across every compromised desktop. Talos notes that the impacted organisation is also mentioned inside the code of the executable too.

Should your data eventually end up for sale, the below message may eventually provide lots of sleepless nights:

If you want to buy this data, please contact us by qtox

qTox is an instant messaging tool billed as being secure and private, particularly with regard to avoiding having your Government listening in on what you might be saying. Ransomware groups using instant message to communicate with victims is fairly common, and they often make use of secure tools to do so.

Malwarebytes users are protected against this particular threat, which we detect as Malware.Ransom.Agent.Generic.

RA Group ransomware detection

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.