Related Families: Babuk
Verticals Targeted: Healthcare, Finance, Insurance
Executive Summary
RA World is a multistage ransomware family that was recently observed targeting healthcare entities in Latin America.
Key Takeaways
- RA World is a multistage ransomware family.
- RA World was observed targeting healthcare entities in Latin America.
- The attacks appear to be targeted, due to the presence of embedded strings containing the domain names of the targeted entities.
- RA World is based on the leaked Babuk source code.
What is RA World?
RA World is a multistage ransomware family. Trend Micro recently reported on RA World. RA World, which was first seen in April 2023, has targeted entities in the healthcare, financial, and insurance verticals, among others. Targets have primarily been in the US, with a smaller number of victims in Germany, India, and Taiwan. RA World’s more recent activity targeted healthcare entities in Latin America. The attacks appear to be targeted, due to the presence of embedded strings containing the domain names of the targeted entities.
RA World uses a multistage attack. Initial access begins with a compromised domain controller. Group Policy Object (GPO) abuse follows, in the form of a group policy modification to allow PowerShell script execution.
The stage one executable is then executed using PowerShell. Stage1.exe lists all domain controllers associated with the current domain, validates the current domain name, and iterates through each domain controller. The process terminates if certain conditions are met, such as the presence of artifacts from prior compromise. The ransomware then verifies if pay.txt and Stage2.exe are already present on the victim machine. If not, the files are copied to the machine and executed.
Stage2.exe delivers the RA World payload. The malware creates a new service, MSOfficeRunOnceIsIs, to maintain persistence. This service runs in Safe Mode with Networking. For defense evasion, it configures Boot Configuration Data to enable Safe Mode with Networking and restarts the machine to initiate that mode. It also decrypts pay.txt and transfers its contents to Stage3.exe, the ransomware payload. Prior to executing the ransomware payload, the malware performs cleanup activities to delete malware remnants and create registry keys.
Stage3.exe is the ransomware payload. RA World ransomware is based on the leaked Babuk source code. The ransomware encrypts victim files and drops a ransom note. RA World is unique in that its ransom note includes a list of recent victims who did not pay the ransom. Additionally, RA World attempts to wipe out the Trend Micro folder in an effort to evade virus detection and removes the Safe Mode with Networking option in an attempt to hide indicators. Finally, RA World reboots the victim machine.
IOCs
PolySwarm has multiple samples associated with RA World.
330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed5819
feab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c
dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f
You can use the following CLI command to search for all RA World samples in our portal:
$ polyswarm link list -f RAWorld
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.