Ransom Group : RA World
Who: RA World. This organization is suspected to be rebranded from RA Group based on their usage of the same extortion and encryption techniques.
What: Ransomware group that targets businesses in healthcare, finance, and manufacturing.
When: Emerged in April 2023. Last observed attack occurred in July 2024.
Where: This group has mostly focused their efforts on the United States, although gradually increasing its scope of attacks across South America, Europe and Southeast Asia.
Why: Primary motive is financial, which aligns with their historical targeting of organizations that are capable of paying high ransoms. This group has been involved with several espionage attacks as well.
Who are they?
RA World primarily targeted organizations in the healthcare industry, and shifted in 2024 towards the manufacturing sector.
What makes them unique?
RA World employs a multi-extortion scheme that involves exfiltrating data before encrypting their victim systems. This sensitive data becomes the leverage they use to extort victims into paying the ransom. Of note, this group uses the unique encrypted file extension `.RAWLD`.
For initial access, RA World aims to compromise the domain controller (DC) of the target network. They have been known to place malware under the SYSVOL share path, which enables them to utilize Group Policy Object (GPO) processing to execute ransomware on other machines within the target domain. These attackers have been observed changing GPO settings to modify PowerShell script execution policy. PowerShell is then used to run the `Stage1.exe`
Post-exploitation actions by the ransomware include evasion scripts (e.g. `SD.bat`) that will delete Anti-Virus folders and removal of the "Safe Mode with Networking" option from the default Windows boot configuration followed by an immediate force reboot.
Tools/Implant:
RA World has used [Impacket](https://www.kali.org/tools/impacket/) to dump the SAM hive, copy the NTDS database, and export a copy of the system registry. Remote commands have previously been run under Windows Management Instrument (WMI) Provider Host (`WmiPrvSE.exe`) to use `cmd.exe` to run "copy" and "makecab" utilities to archive databases.
According to TTP research conducted by Unit 42 by Palo Alto Networks, RA World has used the open-source [NPS](https://github.com/ehang-io/nps) which was also used by [BRONZE STARLIGHT](https://www.sygnia.co/threat-reports-and-advisories/revealing-emperor-dragonfly-a-chinese-ransomware-group/).
RA World uses the [Babuk ransomware source code](https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/) that was released in April 2021 as the foundation for its tailored variants.
`Stage1.exe` performs a check for domain controllers residing within the domain. It also checks inside the `%WINDIR%Help` directory for the presence of `Finish.exe` or `Exclude.exe`, which would signify that the machine is already compromised or shielded.
In the case that `Stage2.exe` is unable to be executed, `Stage2.exe` is retrieved from a SYSVOL path for installation. `Stage2.exe` also performs a check to ascertain if the machine is operating in Safe Mode. It is capable of creating and running a service called `MSOfficeRunOnceIsIs` in the case that Safe Mode with Networking is enabled.
`Stage2.exe` performs AES decryption and Base64 decoding on its contents to form the `Stage3.exe`, which contains the ransomware payload.
Mitigation Measures:
Restrict Administrative Privileges: Minimize the use of administrative accounts to reduce the risk of malicious tools executing with elevated permissions.
Regularly Back Up Critical Data – Maintain offline backups accessible from hot and/or cold sites. Regularly test and practice the restoration process to ensure swift recovery in the event of a ransomware attack.
Summary:
RA World is a ransomware group that emerged in April 2023, suspected to be a rebranded version of RA Group due to their use of similar encryption and extortion techniques. Their primary targets include businesses in healthcare, finance, and manufacturing. While their initial focus was on the United States, their attacks have expanded into South America, Europe, and Southeast Asia. The group's primary motive is financial gain, though they have also been involved in espionage-related attacks.
Organizations should prioritize robust backup strategies, network segmentation, and proactive monitoring to mitigate the risks posed by RA World’s tactics.
Sources
Avertium. (2024, July 3). New Ransomware Groups to Watch - RA World and Dragonforce. https://www.avertium.com/resources/threat-reports/new-ransomware-groups-to-watch-ra-world-and-dragonforce
Dark Web Profile: RA World. SOCRadar® Cyber Intelligence Inc. (2025, January 31). https://socradar.io/dark-web-profile-ra-world/
Elizabeth Montalbano, C. W. (2024, March 5). Fast-Growing RA Ransomware Group Goes Global. https://www.darkreading.com/ics-ot-security/fast-growing-ra-ransomware-group-goes-global
Frank, D. (2024, July 24). From RA Group to RA World: Evolution of a ransomware group. Unit 42. https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/
Morales, et al. (2024, March 4) Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO https://www.trendmicro.com/en_ae/research/24/c/multistage-ra-world-ransomware.html
Symantec Enterprise Blogs. (2025, February 13). China-linked Espionage Tools Used in Ransomware Attacks. https://www.security.com/threat-intelligence/chinese-espionage-ransomware
The Hacker News. (2025, February 14). RA World Ransomware Attack in South Asia links to Chinese Espionage Toolset. https://thehackernews.com/2025/02/hackers-exploited-pan-os-flaw-to-deploy.html