Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO

The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors.


This is an article about a new multistage ransomware attack by the RA World ransomware group. It discusses the targets and tactics used in the attack.


  • The RA World ransomware group primarily targets healthcare and financial institutions.
  • They gain access to systems through compromised domain controllers.
  • Then they use Group Policy to distribute malware.
  • The malware can then move laterally across a network to infect other systems.
  • This highlights the importance of securing domain controllers and implementing network segmentation to prevent the spread of ransomware.