Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO

Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO

March 4, 2024 at 03:58AM

The Trend Micro threat hunting team recently discovered an RA World ransomware attack using multistage components to ensure maximum impact. The group has successfully breached organizations globally, with a focus on healthcare and financial sectors. The attack involves complex stages, including initial access, privilege escalation, lateral movement, persistence, defense evasion, and impact. Targeted organizations are recommended to employ best security practices against such attacks.

Based on the meeting notes, here are the main takeaways:

1. The RA World ransomware has been targeting organizations worldwide since April 2023, particularly in the healthcare and financial sectors.

2. The ransomware uses a multi-stage attack approach, starting with compromising domain controllers and employing various tactics, such as privilege escalation, lateral movement, persistence, defense evasion, and data destruction, to ensure maximum impact.

3. The operators of the RA World ransomware deploy anti-AV tactics, including attempting to wipe out security products, gathering disk information, and removing the Safe Mode with Networking option.

4. The emergence of ransomware-as-a-service (RaaS) and the leakage of source code have lowered the barriers for new threat groups, such as the operators of the RA World ransomware, to enter the ransomware landscape.

5. Recommendations and solutions for organizations include implementing best practices like restricting administrative rights, updating security products, conducting regular backups, and educating users on social engineering risks.

6. Employing multilayered security solutions, such as Trend Vision One™ and Trend Micro Apex One™, can help organizations strengthen their security posture against ransomware attacks.

These takeaways provide a comprehensive understanding of the RA World ransomware, its attack techniques, and the recommended security measures to mitigate the risks associated with such attacks.

Full Article