RA World is a ransomware operation that first appeared publicly on April 22, 2023, initially operating under the name RA Group before rebranding. The group built their ransomware on leaked Babuk source code — the same codebase that spawned Nokoyawa, Pandora, and a cluster of other successor groups after Babuk’s source was published in 2021. Despite the familiar technical foundation, RA World has distinguished itself through sustained targeting of healthcare and pharmaceutical organisations and an operational tempo that has expanded from the United States and South Korea to Germany, India, Taiwan, and, more recently, Latin America.
Technical Profile: Encryption and Execution
RA World’s encryptor inherits Babuk’s cryptographic scheme with minor modifications. File encryption uses curve25519 for key exchange combined with the hc-128 stream cipher for data encryption. The group encrypts only a portion of each file’s content rather than the full file — a performance optimisation that enables faster encryption across large file systems at the cost of some forensic detectability, since partial encryption leaves recoverable data in many files.
Encrypted files receive the .GAGUP extension, a consistent marker across all documented RA World intrusions. The encryptor drops a ransom note (How To Restore Your Files.txt) in each directory, directing victims to a Tor-hosted data leak site.
Cisco Talos’s initial disclosure (May 2023) confirmed the mutex name and cryptographic implementation match Babuk’s leaked source code, establishing the lineage definitively.
Initial Access and Lateral Movement
RA World gains initial access through a combination of exposed remote services and credential theft against externally facing infrastructure. Once inside, the group’s preferred lateral movement path is domain controller compromise — the highest-privilege system in the environment — followed by abuse of Group Policy Objects to propagate the encryptor and disable security controls at scale.
The GPO attack chain documented by GBHackers:
- Authenticate to a domain controller using compromised privileged credentials
- Create or modify a GPO targeting workstations and servers
- Configure the GPO to execute a PowerShell script at computer startup:
powershell.exe -ExecutionPolicy Bypass -File \\dc\sysvol\script.ps1 - The script disables Windows Defender and other endpoint controls
- A secondary script drops and executes the RA World encryptor across all policy-targeted endpoints
This pattern is not unique to RA World — it’s a documented technique used by multiple ransomware groups — but it remains effective against Active Directory environments with limited visibility into GPO changes and no detection on bulk Kerberos authentication events.
Targeting and Victimology
RA World launched with three victims in its first week, in April 2023, and has expanded to a consistent stream of new victims through 2025 and 2026. Primary sectors targeted:
Healthcare: RA World has an explicit focus on healthcare organisations in both North America and Latin America. Hospital systems, health insurance providers, and clinical laboratory services have all appeared on the group’s data leak site. Healthcare victims are particularly exploitable because operational disruption directly affects patient care, increasing pressure to pay.
Pharmaceutical: Pharmaceutical companies and contract research organisations appear consistently in victim lists, likely because they hold valuable intellectual property (clinical trial data, formulation records) that creates both operational disruption and IP theft leverage.
Financial services: Insurance providers and wealth management firms have been targeted in the U.S. and South Korea.
Manufacturing: Production environment disruption creates time pressure for manufacturers, making them viable targets across all ransomware groups.
Geographic expansion: Originally concentrated on U.S. and South Korean targets, RA World expanded to Germany, India, and Taiwan through 2024. The most notable recent expansion is into healthcare in Latin America — specifically targeting hospital networks in Brazil, Argentina, and Colombia where cybersecurity maturity tends to be lower and international incident response resources are less readily available.
Data Extortion and Leak Site
RA World operates a double-extortion model. Before encrypting, the group exfiltrates sensitive data — patient records, financial data, proprietary formulations, contracts, and employee PII. The threat of publishing that data is the second lever for extracting payment.
The group’s Tor-hosted leak site initially provided a countdown timer after which exfiltrated data would be published. The site has been consistently operational since April 2023, unlike some smaller groups that take their infrastructure offline between campaigns.
Ransom demands vary by target size. Published reports for RA World intrusions suggest demands typically in the range of $100,000 to $500,000 for smaller targets, with higher demands for large hospital networks and pharmaceutical firms where data sensitivity increases leverage.
Relationship to the Babuk Ecosystem
RA World is one of multiple active groups using Babuk-derived code. The Babuk leak created a floor of encryption capability accessible to any threat actor willing to adapt the codebase, without the years of development effort a purpose-built encryptor requires. Akira, Abyss Locker, and several smaller groups also use Babuk-derived code.
The shared source does not mean shared operations. RA World operates its own infrastructure, negotiation portal, and affiliate structure independently. Attribution of a Babuk-derived sample to RA World requires victim targeting patterns, ransom note format, and operational infrastructure rather than malware family designation alone.
Defensive Recommendations
GPO abuse as a propagation mechanism is detectable. Prioritise detection on:
- GPO creation or modification events (Windows Event ID 5136, 5137) where the modifying account is not a known GPO admin
- Execution of PowerShell scripts via SYSVOL paths from workstations and servers
- Bulk authentication events from a domain controller account to many hosts in a short window (Kerberos TGS requests from unusual principals)
- Antivirus or Windows Defender service stop events correlated with network execution sources
PolySwarm’s threat intelligence feed includes RA World sample IOCs. Cisco Talos’s original disclosure provides YARA rules applicable to Babuk-derived encryptors.
References
- Cisco Talos — RA Group Compromises Companies With Leaked Babuk Source Code
- Dark Reading — Fast-Growing RA Ransomware Group Goes Global
- GBHackers — Multistage RA World Ransomware Exploits Group Policy Infrastructure
- PolySwarm — RA World Ransomware Targets Healthcare Entities
- SecurityOnline — RA World Ransomware: A Babuk Successor Targets Healthcare