RA Group Ransomware Based on Babuk Code


RA Group is a type of ransomware that carries out data encryption, modifies filenames, and delivers a specific ransom note. Each attack involves a customized ransom note titled "How To Restore Your Files.txt," tailored to the targeted organization or company. The same level of customization may apply to the file extensions appended to the encrypted files' filenames.

One of the file extensions observed from the RA Group ransomware was ".GAGUP." Notably, RA Group is known for utilizing an encryptor built upon the leaked source code of the Babuk ransomware group, which had ceased its operations in 2021.

The ransom note serves to inform the victim about the encryption of their data and the attackers' actions of making copies of the data on their server to ensure its integrity and confidentiality if their demands are met.

The note explains that the attackers have seized the victim's data and encrypted their servers, highlighting the possibility of decrypting the encrypted files. It mentions that the saved data will be permanently deleted upon fulfillment of the attackers' requirements, and it lists various types of data that the attackers have accessed.

The victim is directed to contact the attackers and make a payment for the decryption process. Communication is preferably conducted via qTox, with a provided qTox ID for the victim to utilize. The note warns against contacting the attackers through other channels, suggesting that the attackers are solely interested in monetary gain.

Additionally, the ransom note states that sample files will be disclosed publicly if no contact is established within three days. In the event of no response within seven days, all files will be released to the public. For accessing further information, the victim is advised to utilize the Tor Browser.

RA Group Ransom Actor Relies on Tox Chat for Contact

The full text of the RA Group ransom note reads as follows:

RA Group

Your data has been encrypted when you read this letter.
We have copied all data to our server.
But don't worry, your data will not be compromised or made public if you do what I want.

What did we do?
We took your data and encrypted your servers, encrypted files can be decrypted.
We had saved your data properly, we will delete the saved data if you meet our requirements.
We took the following data:
[redacted] Documents
supplier information
customer Information, Payment Information
employee Information, Payroll
sales tax
financial Statements
financial annual report, quarterly report
[redacted] CONTRACT
business Plan
vtex info
employee internal email backup

What we want?
Contact us, pay for decryption.

How contact us?
We use qTox to contact, you can get more information from qTox office website:

Our qTox ID is:
(alphanumeric string)

We have no other contact.
If there is no contact within 3 days, we will make sample files public.
If there is no contact within 7 days, we will make the file public.

Do not contact us through other companies, they just earn the difference.

Information release
Sample files:

All files:

You can use Tor Browser to open .onion url.
Ger more information from Tor office webshite:

What Can You Do to Protect Your Data from Ransomware Like RA Group?

Protecting your data from ransomware attacks like RA Group is crucial to safeguard your information and prevent potential damage. Here are some measures you can take to enhance your data protection:

Backup your data: Regularly back up your important data and ensure that the backups are stored securely offline or in a separate network. This way, even if your data gets encrypted by ransomware, you can restore it from backups without paying the ransom.

Keep your software up to date: Install software updates and security patches promptly. Outdated software often contains vulnerabilities that can be exploited by ransomware. Enable automatic updates whenever possible to ensure timely protection.

Use robust security solutions: Deploy reliable antivirus or anti-malware software on all your devices. Keep these security solutions updated and perform regular scans to detect any potential threats.

Be extra careful with email attachments and links: Be wary when opening email attachments or clicking links, especially from unknown sources. Ransomware often spreads through phishing emails, so verify the sender's identity and scan attachments with security software before opening them.

Enable strong and unique passwords: Use strong passwords for all your accounts and avoid reusing them. Consider looking into a password manager to securely store and manage your passwords. Enable multi-factor authentication (MFA) whenever possible to add an extra layer of security.

May 19, 2023

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.