What is the RA Group Ransomware & How to Prevent an Attack

The RA Group ransomware is a recent threat that uses the leaked Babuk ransomware code. It published its leaked Tor website on April 22, 2023, and by April 27 the stolen data of three victims were posted.

This is a very adaptable ransomware that uses the target organization’s details on their ransom notes and on the ransomware executable file. This unique feature makes experts believe that RA Group has a variation for each victim.

What kind of malware is RA Group?

RA Group is ransomware, which is a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. The gang focuses on the double extortion tact, demanding payment to not leak the collected data into their Tor website.

Identify the RA Group 

Confirmed Name

• RA Group virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker

Encrypted Files Extension

•  .GAGUP

• Victims may see different extensions

Ransom Demanding Message

• How To Restore Your Files.txt

Is There a Free Decryptor Available?

• No, there is no decryptor available for the RA Group Ransomware

Detection Names

• Avast Win64:RansomX-gen [Ransom]

• Emsisoft Generic.Ransom.Babuk.!s!.G.8D150263

• Kaspersky Trojan-Ransom.Win32.Encoder.txd

• Malwarebytes Ransom.Babuk

Symptoms

• Can’t open files stored on the computer
• Ransom demand letter on the desktop and every folder
• Files have a new extension
• A note with instructions pops up when the victim tries to open an encrypted file

Ransomware family, type & variant

• RA Group ransomware family.

• It used Babuk’s leaked source code to build its own ransomware

Distribution methods

• Experts are still investigating RA Group ransomware distribution methods

• It’s believed that the gang uses system vulnerabilities like stolen remote access credentials

Consequences

• Files are encrypted and locked until the ransom payment
• Password stealing
• Data leak on the gang Tor website

Prevention

• Antivirus and anti-malware
• Remove any unused account and credentials
• Apply multi-factor authentication
• Updated software
• Updated operating system (OS)
• Firewalls
• Don’t open an email attachment from an unknown source
• Do not download files from suspicious websites
• Don’t click on ads unless you’re sure it’s safe
• Only access websites from trustworthy sources

RA Group Tor domains:

• hxxps://qtox.github.io
• hxxps://www.torproject.org

How did RA Group infect your computer

RA Group ransomware finds its way into your computer or network through many methods:

• Stolen credentials. Criminals can obtain stolen credentials through breaches, malware-infected devices, or by buying them on the dark web. Once they have access to a system, they can install ransomware and demand payment from the victim. To decrease the use of stolen login details within a system, there are efficient ways such as implementing multi-factor authentication, password policies, and regular security awareness training for employees.

• Vulnerable remote service. One more way RA Group ransomware attacks happen is through unsecured external remote services. Attackers will exploit Remote Desktop Protocol (RDP) tools whose credentials are known, reused, weak, or rephrased to gain access to businesses’ networks and leak data.

• Known software vulnerabilities. Hackers use software with known vulnerabilities to attack businesses as well. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP.

• Unofficial software download sources and cracks. Pirate software and crack usually are malicious programs. Also, this software will not have the updates necessary to improve the program and prevent vulnerabilities that hackers can exploit.

• Trojans. A trojan is software that promises to perform one task but executes a different one, mostly malicious. They take the form of fake programs, attachments, and other types of files, deceiving victims.

RA Group ransom note

The RA Group ransom note will be on every folder on your computer and the desktop as a text file. It is customized with the victim’s name, meaning each attack has a unique ransom note.

This is a sample of the ransom note:

# RA Group
—-
## Notification
Your data has been encrypted when you read this letter.
We have copied all data to our server.
But don’t worry, your data will not be compromised or made public if you do what I want.

## What did we do?
We took your data and encrypted your servers, encrypted files can be decrypted.
We had saved your data properly, we will delete the saved data if you meet our requirements.
We took the following data:
[COMPANY] Documents
supplier information
customer Information, Payment Information
employee Information, Payroll
accounting
sales tax
financial Statements
financial annual report, quarterly report
[COMPANY] CONTRACT
business Plan
contract
invoices
vtex info
employee internal email backup

## What we want?
Contact us, pay for decryption.

## How contact us?
We use qTox to contact, you can get more information from qTox office website:

Our qTox ID is:

We have no other contact.
If there is no contact within 3 days, we will make sample files public.
If there is no contact within 7 days, we will make the file public.

## Recommend
Do not contact us through other companies, they just earn the difference.

## Information release
Sample files:

All files:

You can use Tor Browser to open .onion url.

Ger more information from Tor office webshite:

How does the RA Group ransomware work

The RA Group ransomware uses intermittent encryption, which alternates between encrypting and not encrypting sections of files. This makes encryption faster, however, it also allows partial recovery of the data.

RA Group ransomware uses curve25519 and eSTREAM cipher hc-128 algorithms to encrypt the data. The ransomware also deletes shadow copies and the Recycle Bin data for difficult data recovery.

Contacting a ransomware removal service can not only restore your files but also remove any potential threat.

Prevent RA Group ransomware attack

Preventing ransomware attacks is easier and cheaper than recovering from them. RA Group ransomware can cost your business’s future and even close its doors.

The RA Group gang targets US hospitals to steal 1 million patients’ data and exploit vulnerabilities known as zero-day. These are software breaches that developers correct through new updates. According to HHS, in 2022 more than 289 hospitals were victims of RA Group.

This means you must keep updated software to protect your data against RA Group ransomware. However, cybercriminals can be faster sometimes and reach victims before an update is released.

1. Use strong passwords

Make sure each account has its password created randomly with a mix of numbers, letters, and special characters to prevent unauthorized access.

2. Keep software updated

As mentioned before, software updates can close vulnerabilities that cyberattackers can exploit to enter your business network. Keeping software updated will increase your system security.

3. Schedule regular backups

Backups are the most efficient way to restore your data, no matter if you lost it due to a natural disaster or cyberattack. They are also the fastest method to get back to work after a disaster such as a RA Group attack.

4. Use a cybersecurity solution

Hiring a cyber security service or having an IT team to keep your data safe will prevent cyber attackers from accessing your data. These professionals can scan your system for vulnerabilities and create measures to improve your business cybersecurity protocols and awareness.

5. Have a recovery plan in hand

A data recovery plan (DRP) is a document that sets strategies on how to handle disasters such as ransomware attacks. They allow faster recovery and business continuity.

See how to create a data recovery plan with our in-depth guide.

How to handle a RA Group ransomware attack

The first step to recover from the RA Group attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with RA Group actors (if you have them)
• A sample of an encrypted file

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:

1. Contact your Incident Response Retainer

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

2. Identify the ransomware infection

You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key. In the case of the RA Group ransomware, Linux-based systems have a decryptor.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and guarantee RA Group ransomware does not attack your network again.

Contact our experts 24/7 for emergency recovery service or find a recovery center near you.