Kusum Group Hit by RA World Ransomware: 257GB Data Leaked
Ransomware Attack on Kusum Group of Companies by RA World
Overview of Kusum Group of Companies
Kusum Group of Companies is a significant entity in the pharmaceutical industry, primarily engaged in the manufacturing and distribution of high-quality generic medicines. Established in India, the company has expanded its operations internationally, with a notable presence in the Commonwealth of Independent States (CIS), ASEAN countries, and Africa. Kusum Group operates four manufacturing facilities—two in Bhiwadi, India, one in SEZ-Pithampur, India, and one in Sumy, Ukraine—employing over 2,000 highly qualified specialists. The company is committed to providing affordable, efficient, and safe medicines, adhering to stringent quality assurance systems that comply with the European Union's Good Manufacturing Practices (EU GMP), Good Laboratory Practices (GLP), and Good Distribution Practices (GDP).
Details of the Ransomware Attack
The Kusum Group of Companies has recently fallen victim to a ransomware attack orchestrated by the RA World ransomware group. The attack specifically targeted the Ukrainian branch of the company, resulting in the exfiltration of a substantial 257 GB of sensitive data. The compromised information includes financial records, departmental data, drug formulations, sales data, and export details. Alarmingly, the entirety of the stolen data has been leaked, posing significant risks to the company's operations and reputation.
About RA World Ransomware Group
RA World is an emerging ransomware group that has shown increased activity since early 2024. It is a rebranded version of the previously known RA Group, first reported in May 2023. The group employs a custom version of the leaked Babuk ransomware source code and uses a multi-stage attack process designed for maximum impact. RA World is known for its double extortion tactics, exfiltrating sensitive data before encryption, and exploiting Group Policy Objects (GPOs) for lateral movement. The group has targeted various sectors, including healthcare, finance, manufacturing, and retail, with victims primarily in the United States, Europe, and Southeast Asia.
Penetration and Impact
RA World distinguishes itself by using advanced techniques such as anti-AV measures and intermittent file encryption to evade endpoint detection. The group appends ".GAGUP" or ".RAWLD" extensions to encrypted files and creates a mutex with the phrase "For whom the bell tolls, it tolls for thee." The ransomware group could have penetrated Kusum Group's systems through vulnerabilities in their network security, potentially exploiting weak points in their IT infrastructure or through phishing attacks targeting employees.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!