Recently, a new hacker group calling themselves the “RA ransomware group” has emerged, taking responsibility for launching a cyber attack on Eastern Media International, a Taiwan-based company known for its extensive range of services, including warehousing and grain trading, shipping, logistics, real estate development, and media services.
The cyber attack took place on July 31, 2023, at 02:46 UTC +3. According to their claims, the RA group added Eastern Media International to its victim list after the company declined to comply with ransom demands.
Cyber attack on Eastern Media International
The Cyber Express contacted the company to inquire about the reported cyber attack on Eastern Media International. As of the time of writing, there have been no official responses or statements from the company regarding the incident.
Furthermore, apart from the attack on Eastern Media International, the RA ransomware group also targeted the Insurance Providers Group, adding them to their list of victims who did not meet their ransom demands.
The victim was included on the RA ransomware group’s leak site on the same date and time as the previous attack.
As for the threat actor, the RA ransomware group is a relatively new threat actor that appears to be built on the leaked Babuk ransomware code.
Prior to the cyber attack on Eastern Media International, the group first came into existence on April 22, 2023, when it launched its data leak Tor website, and within five days, they had already posted stolen data from three victims.
Who is the RA ransomware group?
What sets the RA ransomware group apart is its adaptability.
The ransomware employs the target organization’s specific details within their ransom notes and on the ransomware executable file.
This unique characteristic has led experts to believe that the RA ransomware group customizes its attack for each victim, making them even more dangerous.
As with other ransomware, the RA ransomware group encrypts and locks the victims’ files, demanding a ransom in exchange for the decryption key.
Notably, the group follows the double extortion tactic, threatening to leak the stolen data on their Tor website if the payment is not made.
The RA ransomware group, also known as the RA Group virus, is a dangerous threat categorized as Ransomware and Crypto Virus.
It encrypts files with the extension.GAGUP, though variations might exist. Victims receive a ransom demand message titled “How To Restore Your Files.txt.”
Unfortunately, there is currently no available decryptor for this ransomware. Various antivirus programs detect it under different names, such as Avast Win64:RansomX-gen [Ransom] and Emsisoft Generic.Ransom.Babuk.!s!.G.8D150263, Kaspersky Trojan-Ransom.Win32.Encoder.txd, and Malwarebytes Ransom.Babuk.
The RA ransomware group starts its operation by infecting the victim’s system, leaving them to experience the inability to access files, encounter ransom notes, and find their files encrypted with new extensions.
The RA ransomware group family is based on Babuk’s leaked source code. Distribution methods involve exploiting system vulnerabilities and stolen remote access credentials.
According to researchers at Cisco Talos, RA Ransomware is expanding its operations at a fast pace.
“RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28,” said the Cisco Talos report.
“We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.”
The consequences of falling victim to the RA ransomware group can be severe, ranging from encrypted and locked files until the ransom is paid to the potential theft of passwords and the risk of data leaks on the gang’s Tor website.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
