LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile RA World

RA World: Babuk's Successor Targeting Healthcare, Pharma, and Finance

RA World (formerly RA Group) is a double-extortion ransomware operation built on leaked Babuk source code, with a documented pattern of domain controller compromise, GPO abuse, and targeted attacks on healthcare and pharmaceutical organisations across North America, Europe, and Latin America.

By Ransomware Tracker ·
RA WorldRA GroupBabukhealthcarepharmaceuticalmanufacturingfinancedouble extortionGPO abusecurve25519hc-128GAGUPdomain controllerLatin America
Threat Level
8/10
Sectors Targeted
healthcare
finance
manufacturing
pharmaceutical
insurance
Ransomware Family
RA World

RA World is a ransomware operation that first appeared publicly on April 22, 2023, initially operating under the name RA Group before rebranding. The group built their ransomware on leaked Babuk source code — the same codebase that spawned Nokoyawa, Pandora, and a cluster of other successor groups after Babuk’s source was published in 2021. Despite the familiar technical foundation, RA World has distinguished itself through sustained targeting of healthcare and pharmaceutical organisations and an operational tempo that has expanded from the United States and South Korea to Germany, India, Taiwan, and, more recently, Latin America.

Technical Profile: Encryption and Execution

RA World’s encryptor inherits Babuk’s cryptographic scheme with minor modifications. File encryption uses curve25519 for key exchange combined with the hc-128 stream cipher for data encryption. The group encrypts only a portion of each file’s content rather than the full file — a performance optimisation that enables faster encryption across large file systems at the cost of some forensic detectability, since partial encryption leaves recoverable data in many files.

Encrypted files receive the .GAGUP extension, a consistent marker across all documented RA World intrusions. The encryptor drops a ransom note (How To Restore Your Files.txt) in each directory, directing victims to a Tor-hosted data leak site.

Cisco Talos’s initial disclosure (May 2023) confirmed the mutex name and cryptographic implementation match Babuk’s leaked source code, establishing the lineage definitively.

Initial Access and Lateral Movement

RA World gains initial access through a combination of exposed remote services and credential theft against externally facing infrastructure. Once inside, the group’s preferred lateral movement path is domain controller compromise — the highest-privilege system in the environment — followed by abuse of Group Policy Objects to propagate the encryptor and disable security controls at scale.

The GPO attack chain documented by GBHackers:

  1. Authenticate to a domain controller using compromised privileged credentials
  2. Create or modify a GPO targeting workstations and servers
  3. Configure the GPO to execute a PowerShell script at computer startup: powershell.exe -ExecutionPolicy Bypass -File \\dc\sysvol\script.ps1
  4. The script disables Windows Defender and other endpoint controls
  5. A secondary script drops and executes the RA World encryptor across all policy-targeted endpoints

This pattern is not unique to RA World — it’s a documented technique used by multiple ransomware groups — but it remains effective against Active Directory environments with limited visibility into GPO changes and no detection on bulk Kerberos authentication events.

Targeting and Victimology

RA World launched with three victims in its first week, in April 2023, and has expanded to a consistent stream of new victims through 2025 and 2026. Primary sectors targeted:

Healthcare: RA World has an explicit focus on healthcare organisations in both North America and Latin America. Hospital systems, health insurance providers, and clinical laboratory services have all appeared on the group’s data leak site. Healthcare victims are particularly exploitable because operational disruption directly affects patient care, increasing pressure to pay.

Pharmaceutical: Pharmaceutical companies and contract research organisations appear consistently in victim lists, likely because they hold valuable intellectual property (clinical trial data, formulation records) that creates both operational disruption and IP theft leverage.

Financial services: Insurance providers and wealth management firms have been targeted in the U.S. and South Korea.

Manufacturing: Production environment disruption creates time pressure for manufacturers, making them viable targets across all ransomware groups.

Geographic expansion: Originally concentrated on U.S. and South Korean targets, RA World expanded to Germany, India, and Taiwan through 2024. The most notable recent expansion is into healthcare in Latin America — specifically targeting hospital networks in Brazil, Argentina, and Colombia where cybersecurity maturity tends to be lower and international incident response resources are less readily available.

Data Extortion and Leak Site

RA World operates a double-extortion model. Before encrypting, the group exfiltrates sensitive data — patient records, financial data, proprietary formulations, contracts, and employee PII. The threat of publishing that data is the second lever for extracting payment.

The group’s Tor-hosted leak site initially provided a countdown timer after which exfiltrated data would be published. The site has been consistently operational since April 2023, unlike some smaller groups that take their infrastructure offline between campaigns.

Ransom demands vary by target size. Published reports for RA World intrusions suggest demands typically in the range of $100,000 to $500,000 for smaller targets, with higher demands for large hospital networks and pharmaceutical firms where data sensitivity increases leverage.

Relationship to the Babuk Ecosystem

RA World is one of multiple active groups using Babuk-derived code. The Babuk leak created a floor of encryption capability accessible to any threat actor willing to adapt the codebase, without the years of development effort a purpose-built encryptor requires. Akira, Abyss Locker, and several smaller groups also use Babuk-derived code.

The shared source does not mean shared operations. RA World operates its own infrastructure, negotiation portal, and affiliate structure independently. Attribution of a Babuk-derived sample to RA World requires victim targeting patterns, ransom note format, and operational infrastructure rather than malware family designation alone.

Defensive Recommendations

GPO abuse as a propagation mechanism is detectable. Prioritise detection on:

  • GPO creation or modification events (Windows Event ID 5136, 5137) where the modifying account is not a known GPO admin
  • Execution of PowerShell scripts via SYSVOL paths from workstations and servers
  • Bulk authentication events from a domain controller account to many hosts in a short window (Kerberos TGS requests from unusual principals)
  • Antivirus or Windows Defender service stop events correlated with network execution sources

PolySwarm’s threat intelligence feed includes RA World sample IOCs. Cisco Talos’s original disclosure provides YARA rules applicable to Babuk-derived encryptors.

References

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting