“RA Group to RA World: The Evolution of a Ransomware Syndicate”

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial Access by exploiting misconfigured or vulnerable internet-facing servers. ‘Based on our telemetry, RA World predominantly exploits misconfigured or vulnerable internet-facing servers. We have not observed instances of phishing attacks to gain initial access to the environment.’
• [T1003] Credential Dumping – Uses PsExec and SysInternals to dump credentials and runs quser/tscon to gather user and session data. ‘They also attempted to run the quser and tscon commands to retrieve data about the current user and remote session.’
• [T1047] Windows Management Instrumentation – Commands executed under the Windows Management Instrumentation Host to move laterally. ‘The attackers executed the above commands under the Windows Management Instrument Provider Host.’
• [T1021.001] Lateral Movement – Impacket used for lateral movement; dumps SAM hive, copies NTDS, and exports the system registry. ‘To move laterally in the compromised network and execute commands on remote endpoints, RA World used the popular Impacket tool. They executed remote commands to dump the SAM hive, copied the NTDS database and exported the system registry.’
• [T1543.003] Create or Modify System Process: Windows Service – Stage2.exe writes itself as a service on the compromised machine. ‘Stage2.exe will write itself as a service to the compromised machine, using the following command: reg add …’
• [T1562.001] Impair Defenses – Safe Mode execution to evade detection. ‘Stage3.exe must be run in safe mode so it can evade detection by security solutions that, by default, won’t run in this mode.’
• [T1560.001] Archive Collected Data – Archiving data (NTDS/SAM/SystemRegistry) during lateral movement with makecab. ‘The commands … makecab [redacted].dit [redacted].zip …’
• [T1486] Data Encrypted for Impact – Final Babuk payload encrypts files; new Babuk variant. ‘Stage3: New Variant of the Babuk Final Payload’ and ‘the final ransomware payload, and a new Babuk variant.’
• [T1041] Exfiltration – The group leaks exfiltrated data via their leak site to coerce payment. ‘RA World maintains a leak site, where the group uploads portions of the stolen data they exfiltrate from their victims to coerce ransom payments.’
• [T1490] Inhibit System Recovery – Attempts to tamper with backups/shadow copies (e.g., vssadmin delete shadows). ‘C:WindowsSystem32cmd.exe /c vssadmin.exe delete shadows /all /quiet’ as shown in Figures highlighting tampering.