Fast-Growing RA Ransomware Group Goes Global

The rapidly evolving threat group uses high-impact tactics that include manipulating group policy to deploy payloads across environments.

Padlock with the word ransomware underneath it against a red background
Source: Marcos Alvarado via Alamy Stock Photo

A ransomware group that emerged last April is quickly making a name for itself by expanding its scope of attacks with high-impact tactics as it tramples across geographies, hitting a wide range of global targets in less than a year of activity.

The RA World ransomware group, previously known as RA Group, recently was spotted targeting several healthcare organizations in Latin America with a multistage cyberattack that manipulated the targeted environment's group policy settings, researchers from Trend Micro revealed in a blog post. The attack was aimed at causing the maximum amount of damage while also evading detection, showing a quick rise in sophistication of the group, the researchers said.

RA World began operating last April 22 with initial attacks against organizations in the US and South Korea in the manufacturing, wealth management, insurance, and pharmaceutical industries, and has since expanded with attacks across Germany, India, and Taiwan, according to Trend Micro.

Despite the new focus on Latin America, the US remains at the top of the list of targets, with the largest percentage of attacks in any specific country.

RA World's continues to use double-extortion tactics, giving victims an extra incentive to meet ransom demands by using details of previous victims in their ransom note, according to Trend Micro, which pulled back the veil with specifics of RA World's multistage attack in its post.

RA Group Is an Evolving Babuk Threat

RA Group initially emerged as yet another ransomware actor to use the the source code from Babuk ransomware — leaked in 2021 — as the basis for its attacks, while distinguishing itself from other actors by using a highly customized approach.

The group is still using Babuk as its ultimate payload, giving it an advantage in terms of its ability to move quickly while honing other attack skills in the process, according to Trend Micro.

"These kinds of source code leaks lower the bar of entry for ransomware operators, allowing cybercriminals that lack the necessary technical skills and knowledge to create their own ransomware families to participate in malicious operations," Trend Micro threat researchers Nathaniel Morales, Katherine Casona, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Maristel Policarpio, and Jacob Santos wrote in the post.

In the multistage attacks that the researchers observed, RA World initially gains entry via compromised domain controllers and goes on to manipulate Group Policy Object (GPO) settings to allow for PowerShell script execution.

The vector also allows attackers to store the payload once within the compromised machine, then use Group Policies to execute it on other local machines, "signifying a multistage attack approach aimed at compromising systems within the target network," the researchers wrote. Similar GPO manipulation has been seen before in a wiper attack against Ukrainian targets by the Russia-linked APT Sandworm.

After executing the Babuk ransomware payload, attackers also drop a ransom note that includes the list of recent victims who were unable to pay the ransom fee as part of its extortion tactics.

Attackers also delete the remnants of the malware once the attack is complete. And as a further evasion tactic, RA World operators deploy SD.bat, a script that attempts to wipe out the Trend Micro defenses folder, the researchers noted.

"After the deletion of the Trend Micro folder, the ransomware will then remove the 'Safe Mode with Networking' option created from the default boot configuration in Windows," they wrote. "Finally, it will immediately reboot the computer by force."

How to Protect Against Ransomware

Given that ransomware actors like RA World continue to operate with unprecedented agility, organizations should employ a multilayered security approach to strengthen the security potential access points into their system, including endpoints, emails, Web interfaces, and networks, according to Trend Micro.

Specific best practices that the researchers advise to minimize the chances of falling victim to ransomware attacks include assigning administrative rights and access to employees only when required, and regularly updating security products while conducting periodic scans.

Organizations also should protect essential data using routine backups to prevent potential loss in case of an incident, as well as advise employees to proceed with caution when interacting with emails and websites, downloading attachments, clicking on URLs, or executing unknown programs, the researchers noted.

Trend Micro also advises that organizations educate employees on typical social engineering tactics, as well as prompt them to report potentially suspicious emails and files to security teams.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights