FOCUS MODE
EXTRACT IOC
Threat Research

Dark Web Profile: RA World

SocRadar
Dark Web Profile: RA World
RA World is a ransomware operation believed to be a rebranding of the RA Group, utilizing similar extortion techniques and targeting various organizations primarily in Western countries and the Indo-Pacific region. The group employs a modified Babuk encryptor and engages in data theft before deploying ransomware. Their tactics include psychological pressure on victims through deadlines and public exposure of stolen data. Affected: RA World, RA Group

Keypoints :

  • RA World is a rebranded version of the RA Group ransomware operation.
  • First reported in May 2023, using a modified Babuk encryptor.
  • Employs intermittent file encryption to evade detection.
  • Targets a variety of organizations, mainly in Western countries and the Indo-Pacific region.
  • Engages in data theft prior to ransomware deployment.
  • Utilizes psychological tactics, including deadlines for communication and public exposure of stolen data.
  • Focuses on high-impact sectors like healthcare, finance, and supply chain industries.
  • Employs multiple MITRE techniques for execution and persistence.

MITRE Techniques :

  • Privilege Escalation – Group Policy Modification (T1484.001): Modifies Group Policy settings to run malicious scripts.
  • Lateral Movement – Lateral Tool Transfer (T1570): Transfers malicious payloads across systems within the network.
  • Defense Evasion – Impair Defenses – Safe Mode Boot (T1562.009): Manipulates boot configuration to enable Safe Mode for evasion.
  • Indicator Removal – Indicator Removal (T1070): Removes traces of the attack to avoid detection.
  • Indicator Removal – File Deletion (T1070.004): Deletes files to cover tracks.
  • Modify Registry – Modify Registry (T1112): Alters registry settings to maintain persistence.
  • Persistence – Create or Modify System Process – Windows Service (T1543.003): Sets up services to ensure malware runs on startup.
  • Impact – Data Encrypted for Impact (T1486): Encrypts victim data to demand ransom.
  • System Shutdown/Reboot – System Shutdown/Reboot (T1529): Initiates shutdowns to disrupt victim operations.
  • Data Destruction – Data Destruction (T1485): Potentially destroys data if demands are not met.

Indicator of Compromise :

  • [file name] Finish.exe
  • [file name] Stage1.exe
  • [file name] Stage2.exe
  • [file name] pay.txt
  • [file extension] .RAWLD, .GAGUP
  • Check the article for all found IoCs.

Full Research: https://socradar.io/dark-web-profile-ra-world/

Tags: DISCOVERY, HEALTHCARE, PAYLOAD, PERSISTENCE, VULNERABILITY, LATERAL MOVEMENT, FINANCIAL, SOCIAL ENGINEERING