Kusum Group Hit by RA World Ransomware: 257GB Data Leaked
Incident Date:
July 24, 2024
Overview
Title
Kusum Group Hit by RA World Ransomware: 257GB Data Leaked
Victim
Kusum Group of Companies
Attacker
Ra World
Location
First Reported
July 24, 2024
Ransomware Attack on Kusum Group of Companies by RA World
Overview of Kusum Group of Companies
Kusum Group of Companies is a significant entity in the pharmaceutical industry, primarily engaged in the manufacturing and distribution of high-quality generic medicines. Established in India, the company has expanded its operations internationally, with a notable presence in the Commonwealth of Independent States (CIS), ASEAN countries, and Africa. Kusum Group operates four manufacturing facilities—two in Bhiwadi, India, one in SEZ-Pithampur, India, and one in Sumy, Ukraine—employing over 2,000 highly qualified specialists. The company is committed to providing affordable, efficient, and safe medicines, adhering to stringent quality assurance systems that comply with the European Union's Good Manufacturing Practices (EU GMP), Good Laboratory Practices (GLP), and Good Distribution Practices (GDP).
Details of the Ransomware Attack
The Kusum Group of Companies has recently fallen victim to a ransomware attack orchestrated by the RA World ransomware group. The attack specifically targeted the Ukrainian branch of the company, resulting in the exfiltration of a substantial 257 GB of sensitive data. The compromised information includes financial records, departmental data, drug formulations, sales data, and export details. Alarmingly, the entirety of the stolen data has been leaked, posing significant risks to the company's operations and reputation.
About RA World Ransomware Group
RA World is an emerging ransomware group that has shown increased activity since early 2024. It is a rebranded version of the previously known RA Group, first reported in May 2023. The group employs a custom version of the leaked Babuk ransomware source code and uses a multi-stage attack process designed for maximum impact. RA World is known for its double extortion tactics, exfiltrating sensitive data before encryption, and exploiting Group Policy Objects (GPOs) for lateral movement. The group has targeted various sectors, including healthcare, finance, manufacturing, and retail, with victims primarily in the United States, Europe, and Southeast Asia.
Penetration and Impact
RA World distinguishes itself by using advanced techniques such as anti-AV measures and intermittent file encryption to evade endpoint detection. The group appends ".GAGUP" or ".RAWLD" extensions to encrypted files and creates a mutex with the phrase "For whom the bell tolls, it tolls for thee." The ransomware group could have penetrated Kusum Group's systems through vulnerabilities in their network security, potentially exploiting weak points in their IT infrastructure or through phishing attacks targeting employees.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.