Keypoints
- RA World first appeared in public scans in early December 2023 and reportedly steals victims’ data prior to encryption.
- The malware enumerates and stops numerous backup and security-related services (e.g., Veeam, BackupExec, Sophos) and terminates many application and DB processes (e.g., sql.exe, oracle.exe, excel.exe).
- It deletes Volume Shadow Copies using the command “vssadmin.exe delete shadows /all /quiet” to inhibit system recovery.
- Files are encrypted and given hardcoded extensions such as “.RAWLD” and variant “.yM8Yl”; a ransom note (“Data breach warning.txt”) includes contact methods (Tox, Telegram) and leak/publish procedures (Gofile, TOR/non‑TOR sites).
- The ransomware excludes common system and program files/folders (e.g., AppData, Windows, Program Files) and several binary/file types from encryption.
- FortiGuard AV detects RA World with signatures including W64/Rook.B!tr.ransom and provides protections via FortiGate, FortiMail, FortiClient, and FortiEDR.
- Four representative SHA‑256 file hashes are published as indicators for detection and response.
MITRE Techniques
- [T1486] Data Encrypted for Impact – encrypts victim files and appends extensions (e.g., ‘.RAWLD’ / ‘.yM8Yl’). Quote: (‘The malware encrypts files on the victims’ machines and adds the following extension to the encrypted files’).
- [T1490] Inhibit System Recovery – removes recovery artifacts by deleting Volume Shadow Copies. Quote: (‘vssadmin.exe delete shadows /all /quiet’).
- [T1567.002] Exfiltration to Cloud Storage – steals and publishes victim data to web/cloud services and leak sites (e.g., Gofile, TOR/non‑TOR sites). Quote: (‘The threat actor steals victims’ data before deploying and running its ransomware malware’ and ‘make some of the victim’s stolen files available via the Gofile file‑sharing service’).
- [T1489] Service Stop (Impact) – stops backup and security services and terminates processes to hinder recovery and detection. Quote: (‘It stops the following services:’ and ‘It terminates the following processes:’).
Indicators of Compromise
- [SHA256 hashes] RA World sample files – 4866d6994c2f8b4dadfaabc2e2b81bd86c12f68fdf0da13d41d7b0e30bea0801, 51da3acc6c7089bd0f1df9d9902e183db0d1342552404c3c1b898b168399b0bc, and 2 more hashes.
- [Ransom note filename] Dropped ransom note – “Data breach warning.txt” (provides contact methods and leak schedule).
- [File extensions] Encrypted file extensions – .RAWLD (primary) and variant .yM8Yl used by a minor variant.
- [Mutex] Unique mutex string used by sample – “For whom the bell tolls, it tolls for thee.”
- [Command artifact] Shadow copy deletion command – “vssadmin.exe delete shadows /all /quiet”.
- [Services/processes] Backup/security services and processes targeted – examples: VeeamTransportSvc, BackupExecAgentBrowser, sql.exe, excel.exe (the malware stops many backup/AV services and kills database and productivity processes).
- [Leak/communication platforms] Data publishing and contact methods – Gofile (file sharing), TOR and non‑TOR leak sites, contact via Tox and Telegram (Telegram later removed in a variant).
RA World technical procedure (concise)
RA World operates by first exfiltrating victim data and then deploying file‑encryption routines. Samples show the actor halts a wide range of backup and security services (e.g., Veeam, BackupExec, Sophos) and kills numerous database and application processes (sql.exe, oracle.exe, excel.exe, outlook.exe) to remove locks on files and impede recovery. The ransomware explicitly runs “vssadmin.exe delete shadows /all /quiet” to remove Volume Shadow Copies, preventing rollback from local backups.
The malware encrypts files and appends hardcoded extensions such as “.RAWLD” (and variant “.yM8Yl”), while excluding executables, DLLs, installer and system folders (AppData, Windows, Program Files, SYSVOL, etc.) from encryption. It drops a ransom note named “Data breach warning.txt” with contact options (Tox, previously Telegram) and threatens staged publication of exfiltrated files via Gofile and TOR/non‑TOR leak sites. The sample also uses a distinct mutex (“For whom the bell tolls, it tolls for thee.”) and is detected by FortiGuard AV signatures; four SHA‑256 sample hashes are provided for detection and response.
Responders should look for the listed service/process stoppages, the vssadmin deletion command, the ransom note filename and the specific file extensions as immediate indicators of compromise, and use published SHA‑256 hashes to validate and block samples while coordinating data‑exfiltration and recovery investigations.