Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO
RA World ransomware employs a sophisticated multistage attack chain that abuses legitimate Windows infrastructure for maximum impact. The operators distribute their payloads through Group Policy Objects (GPO), ensuring enterprise-wide deployment across Active Directory environments. A key evasion technique involves rebooting infected machines into Safe Mode, where most security products don't load, before executing the encryption routine. The ransomware itself is derived from Babuk source code with modifications to the encryption implementation. This article traces the full kill chain from initial domain compromise through GPO abuse to encryption, with detailed analysis of each stage.
Related Research
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.
CrazyHunter Campaign Targets Taiwanese Critical Sectors
Identified CrazyHunter targeting Taiwanese healthcare and education using 80% open-source tooling and BYOVD attacks.