RA World, a ransomware group that first emerged in April of last year, is quickly gaining notoriety for its high-impact attacks that span across various regions and industries. The group, previously known as RA Group, has recently been identified targeting healthcare organizations in Latin America with a sophisticated cyberattack that aimed to cause maximum damage while avoiding detection.
According to researchers from Trend Micro, RA World began its operations by attacking organizations in the US and South Korea within industries such as manufacturing, wealth management, insurance, and pharmaceuticals. Since then, the group has expanded its targets to include organizations in Germany, India, Taiwan, and now Latin America. Despite this expansion, the US remains at the top of the list of targeted countries, with the highest percentage of attacks.
RA World is known for its use of double-extortion tactics, where victims are presented with additional incentive to meet ransom demands by including details of previous victims in their ransom notes. This tactic adds a sense of urgency for victims to comply with the demands of the attackers.
The group initially started using the Babuk ransomware source code, leaked in 2021, as the basis for its attacks. By using this pre-existing code, RA World was able to quickly establish itself in the ransomware landscape while also customizing its approach to stand out from other ransomware actors.
In a recent multistage attack observed by Trend Micro researchers, RA World gained initial access through compromised domain controllers and went on to manipulate Group Policy Object (GPO) settings to enable the execution of PowerShell scripts. This approach allowed the attackers to store the ransomware payload on compromised machines and execute it on other local machines within the network.
After deploying the Babuk ransomware payload, RA World operators also drop a ransom note that includes a list of recent victims who were unable to pay the ransom fee. This serves as an intimidation tactic to pressure victims into complying with the demands.
To protect against ransomware attacks like those carried out by RA World, organizations are advised to employ a multilayered security approach that covers potential access points into their systems. This includes securing endpoints, emails, web interfaces, and networks. Best practices recommended by the researchers include limiting administrative rights to employees only when necessary, keeping security products up to date, conducting regular security scans, and maintaining routine backups of essential data.
Employees should also be educated on common social engineering tactics and encouraged to report any suspicious emails or files to the security team. By staying vigilant and implementing these security measures, organizations can minimize the chances of falling victim to ransomware attacks orchestrated by groups like RA World.