A ransomware group which emerged last April is quickly making a name for itself by expanding the reach of attacks with high-impact tactics as it traverses geographies, hitting a wide range of global targets in less than a year of operation.
The RA World ransomware group, formerly known as RA Group, was recently spotted targeting several healthcare organizations in Latin America a multi-stage cyber attack that manipulated the Group Policy settings of the targeted environment, Trend Micro researchers revealed in a blog post. The goal of the attack was to cause as much damage as possible while avoiding detection, demonstrating a rapid increase in the group’s sophistication, the researchers said.
RA World began operations on April 22 with initial attacks against organizations in the United States and South Korea in the manufacturing, asset management, insurance and pharmaceutical sectors, and has since expanded with attacks in Germany, India and Taiwan, according to Trend Micro.
Despite the new focus on Latin America, the United States remains at the top of the target list, with the highest percentage of attacks in any specific country.
RA World continues to use double extortion tactics, giving victims additional incentive to meet ransom demands by using previous victims’ details in their ransom demand, according to Trend Micro, which lifted the lid on details of the multi-phase attack by RA World in his post .
RA Group is an evolving Babuk threat
RA Group initially emerged as another ransomware actor using the file source code of the Babuk ransomware – leaked in 2021 – as the basis for its attacks, distinguishing itself from other actors by using a highly personalized approach.
The group is still using Babuk as the final payload, giving it an advantage in terms of its ability to move quickly while honing other attack abilities in the process, according to Trend Micro.
“This type of code leak lowers the level of access for ransomware operatorsallowing cybercriminals who lack the technical skills and knowledge to create their own ransomware families to participate in malicious operations,” they wrote in the post.
In the multi-stage attacks observed by researchers, RA World initially gains access via compromised domain controllers and continues to manipulate Group Policy Object (GPO) settings to allow PowerShell script execution.
The vector also allows attackers to store the payload once inside the compromised machine, then use group policy to run it on other local machines, “which signifies a multi-stage attack approach aimed at compromising systems at inside the target network,” the researchers wrote. Similar GPO manipulation has been seen before in an attack against Ukrainian targets by the Russian-linked APT Sandworm.
After executing the Babuk ransomware payload, the attackers also drop a ransom note that includes the list of recent victims who were unable to pay the ransom fee as part of their extortion tactics.
Attackers also delete remnants of the malware once the attack is complete. And as an additional evasion tactic, RA World operators use SD.bat, a script that attempts to delete Trend Micro’s defenses folder, researchers noted.
“After deleting the Trend Micro folder, the ransomware will remove the created ‘Safe Mode with Networking’ option from the default startup configuration in Windows,” they wrote. “Finally, it will immediately forcefully restart your computer.”
How to protect yourself from ransomware
Given that ransomware authors As RA World continues to operate with unprecedented agility, organizations should take a multi-layered security approach to harden potential security entry points into their system, including endpoints, email, web interfaces and networks, according to Trend Micro.
Specific best practices recommended by researchers minimize the chances of falling victim to ransomware attacks include assigning administrative rights and access to employees only when required and regularly updating security products while performing periodic scans.
Organizations should also protect essential data using routine backups to prevent potential loss in the event of an incident, as well as advising employees to proceed with caution when interacting with emails and websites, downloading attachments, clicking URLs, or running programs unknown, the researchers noted. .
Trend Micro also recommends that organizations educate employees on typical social engineering tactics and encourage them to report potentially suspicious emails and files to security teams.