Fast-Growing RA Ransomware Group Goes Global

We Keep you Connected

Fast-Growing RA Ransomware Group Goes Global

The rapidly evolving threat group uses high-impact tactics that include manipulating group policy to deploy payloads across environments.
March 5, 2024
A ransomware group that emerged last April is quickly making a name for itself by expanding its scope of attacks with high-impact tactics as it tramples across geographies, hitting a wide range of global targets in less than a year of activity.
The RA World ransomware group, previously known as RA Group, recently was spotted targeting several healthcare organizations in Latin America with a multistage cyberattack that manipulated the targeted environment's group policy settings, researchers from Trend Micro revealed in a blog post. The attack was aimed at causing the maximum amount of damage while also evading detection, showing a quick rise in sophistication of the group, the researchers said.
RA World began operating last April 22 with initial attacks against organizations in the US and South Korea in the manufacturing, wealth management, insurance, and pharmaceutical industries, and has since expanded with attacks across Germany, India, and Taiwan, according to Trend Micro.
Despite the new focus on Latin America, the US remains at the top of the list of targets, with the largest percentage of attacks in any specific country.
RA World's continues to use double-extortion tactics, giving victims an extra incentive to meet ransom demands by using details of previous victims in their ransom note, according to Trend Micro, which pulled back the veil with specifics of RA World's multistage attack in its post.
RA Group initially emerged as yet another ransomware actor to use the the source code from Babuk ransomware — leaked in 2021 — as the basis for its attacks, while distinguishing itself from other actors by using a highly customized approach.
The group is still using Babuk as its ultimate payload, giving it an advantage in terms of its ability to move quickly while honing other attack skills in the process, according to Trend Micro.
"These kinds of source code leaks lower the bar of entry for ransomware operators, allowing cybercriminals that lack the necessary technical skills and knowledge to create their own ransomware families to participate in malicious operations," Trend Micro threat researchers Nathaniel Morales, Katherine Casona, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Maristel Policarpio, and Jacob Santos wrote in the post.
In the multistage attacks that the researchers observed, RA World initially gains entry via compromised domain controllers and goes on to manipulate Group Policy Object (GPO) settings to allow for PowerShell script execution.
The vector also allows attackers to store the payload once within the compromised machine, then use Group Policies to execute it on other local machines, "signifying a multistage attack approach aimed at compromising systems within the target network," the researchers wrote. Similar GPO manipulation has been seen before in a wiper attack against Ukrainian targets by the Russia-linked APT Sandworm.
After executing the Babuk ransomware payload, attackers also drop a ransom note that includes the list of recent victims who were unable to pay the ransom fee as part of its extortion tactics.
Attackers also delete the remnants of the malware once the attack is complete. And as a further evasion tactic, RA World operators deploy SD.bat, a script that attempts to wipe out the Trend Micro defenses folder, the researchers noted.
"After the deletion of the Trend Micro folder, the ransomware will then remove the 'Safe Mode with Networking' option created from the default boot configuration in Windows," they wrote. "Finally, it will immediately reboot the computer by force."
Given that ransomware actors like RA World continue to operate with unprecedented agility, organizations should employ a multilayered security approach to strengthen the security potential access points into their system, including endpoints, emails, Web interfaces, and networks, according to Trend Micro.
Specific best practices that the researchers advise to minimize the chances of falling victim to ransomware attacks include assigning administrative rights and access to employees only when required, and regularly updating security products while conducting periodic scans.
Organizations also should protect essential data using routine backups to prevent potential loss in case of an incident, as well as advise employees to proceed with caution when interacting with emails and websites, downloading attachments, clicking on URLs, or executing unknown programs, the researchers noted.
Trend Micro also advises that organizations educate employees on typical social engineering tactics, as well as prompt them to report potentially suspicious emails and files to security teams.
Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Proven Success Factors for Endpoint Security
SANS 2021 Cloud Security Survey
The State of Incident Response
A Solution Guide to Operational Technology Cybersecurity
Endpoint Best Practices to Block Ransomware
2023 Snyk AI-Generated Code Security Report
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE