Company Trend Micro recently discovered a new wave of activity by extortion group RA World, also known as RA Group. This group initiated its harmful operations in April 2023 and has targeted numerous organizations, primarily in the health and finance sectors in the USA, Germany, India, and Taiwan.
Researchers at Trend Micro uncovered that the latest series of attacks by RA World were directed towards several healthcare organizations in Latin America. These attacks were carried out in multiple stages in order to enhance the likelihood of success.
The attack commences with hackers infiltrating the computer system through domain controllers, with a crucial element being the manipulation of group policy (GPO) to establish their own regulations within the victim’s system.
In the first stage (Stage1.exe), the virus utilizes a file called “Stage1.exe” to assess and prime the network for further incursion. This involves inspecting domain controllers and preparing to duplicate the next phase of the virus.
During the second stage (Stage2.exe), the virus replicates itself on other machines in the network and readies itself for file encryption. “Stage2.exe” is responsible for disseminating the malicious code within the target network, paving the way for the main attack.
In the final stage (Stage3.exe), the virus activates by encrypting files on infected computers and demands a ransom for their decryption. It employs sophisticated encryption techniques, rendering files inaccessible to users and systems.
In addition, the malware can reboot the system in a specialized safe mode to evade detection by antivirus software. It also obliterates any traces of its presence post-attack, complicating analysis and recovery efforts.
To mitigate risks, it is advised to follow best security practices to avoid falling victim to RA World attacks, such as restricting administrative rights, keeping software updated, regularly backing up data, exercising caution when interacting with emails and websites, and educating employees on cybersecurity fundamentals.
Employing a comprehensive security approach can substantially fortify potential entry points to the system, significantly bolstering enterprise protection.