RA Group published details of their first victims on April 27th meaning that things are in full swing now. The attack details are interesting as it appears the group names the binary after their victim and includes a customized ransom note as well (you know, for the personal touch). The payload targets all logical drives as well as any connected network shares while excluding folders and files critical to the operation of the device. The latter means that a target will still be able to boot their device leaving only business data encrypted. It is an approach that seems to be aimed at making payment more likely.

There is currently no information on the vectors they are using to get the ransomware due to the small number of known victims of the new group. We are confident that as more people are targeted the TTPs of RA Group will come to light.

To speed up encryption of the data the RA Group uses a method called intermittent encryption meaning that the entire file or volume is not encrypted. This can allow for partial data recovery making it a risky tactic, but then again being a cyber criminal is risky anyway. Other features of the ransomware are deletion of shadow copies and the recycle bin contents all this as it exfiltrates the data it is encrypting. Once the payload has done its job, tit leaves the customize ransom note which includes instructions on how to pay the ransom along with a link to sample files as proof of exfiltration. The timelines are simple, after 3 days of no contact the sample files go live, after 7 days all the stollen data becomes public.

Ransomware is not going anywhere, if anything the leak of the Babuk source code may have breathed new life into it as new groups cut their development time by building on someone else’s work.