![]() ![]() In addition to tailoring their ransom notes to each victim, the ransomware executable file also includes the victim's name, suggesting that attackers are compiling unique variants for each victim. "We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation," the Talos researchers said. ![]() The data itself is hosted on a Tor server and victims need to contact the group using the qTox encrypted messaging app. By the end of the month it had already listed four victims along with their names, links to their websites, and a summary of the available data that is also made available for sale to others. The group's data leak site was launched on April 22. This suggests that attackers have very good insight into their victims. In fact, the final ransom note dropped by the group is tailored for each individual victim, refers to them by name, and lists the exact type of data that were copied and will be leaked publicly if contact is not made within three days. Initial access is likely followed by lateral movement and deployment of other malware tools, since the attackers are interested in first exfiltrating data that's potentially sensitive and valuable to the company. However, it's likely through one of the usual vectors used by most ransomware gangs: exploiting vulnerabilities in publicly exposed systems, stolen remote access credentials, or buying access from a different cybercrime gang that might operate a malware distribution platform. The Talos team only analyzed the ransomware sample, which is the final payload, but it hasn't determined the way in which attackers gain initial access into networks. ![]() "This form of double extortion increases the chances that a victim will pay the requested ransom." "Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands," researchers from Cisco Talos said in a new report. The group's ransomware program is built from the leaked source code of a different threat called Babuk. Researchers warn of a new ransomware threat dubbed RA Group that also engages in data theft and extortion and has been hitting organizations since late April. ![]()
0 Comments
Leave a Reply. |