A new and highly active ransomware threat actor, RA Group, is targeting organizations in the manufacturing, finance, insurance and pharmaceuticals sectors, researchers at Cisco Talos said Monday.

Within a week of its emergence on April 22, RA Group compromised three organizations in the U.S. and one in South Korea. The group listed its first three victims on its leak site on April 27 and added a fourth victim on April 28, according to Cisco Talos.

Initial victim organizations have had their data encrypted and stolen, a form of double extortion designed to increase pressure on the organizations to pay the ransom.

Customized ransom notes from RA Group threaten a leak of sample files within three days and a full release of stolen data within a week, if the ransom isn’t paid, according to ransom notes Cisco Talos observed and shared.

RA Group is using Babuk ransomware source code, which Cisco Talos researchers describe as highly customized. Multiple ransomware groups have used the Babuk ransomware code since it was leaked by a developer in 2021, according to Cisco Talos.

Rorschach, a customized strain of the Babuk ransomware code that was first detected last month, can encrypt data more quickly than other known strains and was deemed the “fastest ever ransomware” by researchers at Check Point.

Babuk ransomware source code was also used in a global spree of ransomware attacks earlier this year targeting organizations using VMware ESXi servers.