RA World, an emerging ransomware group, has been increasingly active since March 2024, using a multi-extortion tactic to steal data and threaten to leak it if the ransom is not paid.
Their leak site shows a recent shift in targets from healthcare organizations to manufacturing, possibly due to seeking higher ransom payouts, but the reason remains unclear.
The RA World ransomware group, active since mid-2023, primarily targets the manufacturing sector; according to leak site data, it has also impacted organizations in the US, Europe, and Asia.
The group recently switched their branding from RA Group to RA World, as reflected in their ransom note and encrypted file extension (.RAWLD), while their ransom note threatens to release stolen data if victims don’t comply.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The RA World ransomware group maintains a leak site to pressure victims into paying ransom. The site was redesigned in 2024, featuring a dark theme and incorporating references to pop culture.
The leak site displays a list of victims and allows visitors to search for relevant information on a social media platform.
For each victim, RA World may disclose allegedly stolen data and use manipulative tactics to damage the victim’s reputation.
The analysis identified RA World attackers targeting misconfigured or vulnerable internet-facing servers for initial access.
Cortex XDR prevented attempts to dump credentials using PsExec and SysInternals tools.
For lateral movement, the attackers used Impacket to execute remote commands on compromised endpoints, extracting the NTDS database, SAM hive, and system registry by archiving the databases with makecab and deleting the originals.
A recent RA World ransomware attack used a multi-stage infection chain. The initial loader (Stage1.exe) identified the system’s domain and searched for exclusion rules.
It then deployed Stage2.exe to a shared network path, whose behavior depended on Safe Mode status, where it decrypted and ran a Babuk variant using a key based on the domain name.
According to Palo Alto Networks, the Babuk variant (Stage3.exe) used custom modifications, including a new mutex name, ransom note filename, and encrypted file extension.
RA World, a ransomware threat actor, shares some TTPs (Tactics, Techniques, and Procedures) with BRONZE STARLIGHT, a Chinese threat group.
Both groups use the open-source tool NPS, exploit Impacket modules for lateral movement, and deploy Babuk-based ransomware.
The loader shares file path similarities and internal IP addresses with BRONZE STARLIGHT’s tools, while the actors’ code contains misspelling errors.
The attackers’ activity time zone aligns with GMT+7 to GMT+9 timezones, suggesting a possible link between RA World and BRONZE STARLIGHT, but other explanations are possible.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo