Ransomware
Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO
The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact.
The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors.
The Trend Micro threat hunting team came across an RA World attack targeting several healthcare organizations in the Latin American region that involve multi-stage components designed to ensure maximum impact and success in the group’s operations.
The RA World multi-stage attack
Initial Access
The RA World operators initially gain entry via compromised domain controllers and deliver their components to the SYSVOL share path for a machine Group Policy Object (GPO).
Privilege Escalation
Our internal telemetry indicates that Stage1.exe is executed using PowerShell within the network, suggesting that Group Policy settings have likely been changed to allow PowerShell script execution.
$systemdir$\WindowsPowerShell\v1.0\powershell.exe → \\ <servername>\SYSVOL\<domain>\Policies\<GUID>\MACHINE\Microsoft\Stage1.exe
Given that the malware is placed within the Group Policy infrastructure, it's possible that the attacker has tampered with Group Policy settings or scripts to include the malicious payload. This could allow the malware to execute on targeted machines as part of the Group Policy processing, potentially affecting multiple machines within the domain.
Lateral Movement
Initially, Stage1.exe lists all domain controllers associated with the current domain. It then validates the current domain name and proceeds to iterate through each domain controller, terminating if specific conditions are met.
These conditions include checking the first part of the domain controller's name to see if it matches the local machine's host name. Furthermore, Stage1.exe also checks for the existence of Finish.exe and Exclude.exe in the %WINDIR%\Help Directory. The presence of Finish.exe suggests potential prior compromise, while Exclude.exe indicates a possible exclusion of the machine.
After the initial check, the ransomware verifies if Stage2.exe is already present in the local machine’s %WINDIR%\Help directory. If not, it will copy pay.txt and Stage2.exe from the hardcoded SYSVOL Path to the local machine and proceed to execute Stage2.exe.
This analysis indicates a targeted attack, as the binary contains a hardcoded company domain name and SYSVOL path. Additionally, it suggests a strategy where payloads initially reside within the compromised machine and then executed to other local machines using Group Policies, signifying a multi-stage attack approach aimed at compromising systems within the target network.
Stage2.exe is responsible for delivering the ransomware payload. Like stage1.exe, it also contains embedded strings featuring the domain name of the targeted company.
Persistence
The program initiates by assessing whether the machine operating in safe mode. If not, it will perform a similar verification for Exclude.exe and Finish.exe. It then proceeds to create a new service named MSOfficeRunOncelsls, which includes Stage2.exe as a service configured to run in Safe Mode with Networking.
Defense Evasion
Additionally, it configures the Boot Configuration Data (BCD) to enable Safe Mode with Networking, and proceeds to start the machine to initiate the mode.
If the machine is already in Safe Mode, Stage2.exe similarly verifies the absence of Exclude.exe and Finish.exe on the system. Subsequently, it decrypts pay.txt using Base64 and AES encryption, transferring its contents to Stage3.exe, which serves as the ransomware payload.
After executing the ransomware payload, it will undergo cleanup activities, which will delete the malware remnants and create registry keys.
Impact
Finally, the RA World ransomware payload (Stage3.exe) is deployed. The ransomware, which uses the leaked Babuk source code, drops the text file Finish.exe which only contains the string “Hello, World”. It also creates the mutex “For whom the bell tolls, it tolls for thee.” In earlier versions, it used the same mutex name as the Babuk ransomware.
In the ransom note, the threat actor also included the list of recent victims who were unable to pay the ransom fee as part of extortion tactics, pressuring other victims to comply with the group’s demands.
Anti-AV measures
The RA World operators also deploy SD.bat, a script that attempts to wipe out the Trend Micro folder. Furthermore, it uses the WMI command-line (WMIC) utility to gather information about the disks and leaves a log in C:\DISKLOG.TXT.
After the deletion of the Trend Micro folder, the ransomware will then remove the Safe Mode with Networking option created from the default boot configuration in Windows.
Finally, it will immediately reboot the computer by force.
Insights
Despite Babuk’s “retirement” in 2021, the leakage of the gang’s source code enabled numerous new threat groups to easily enter the ransomware landscape, including the operators of the RA World ransomware. Along with the emergence of ransomware-as-a-service (RaaS), these kinds of source code leaks lower the bar of entry for ransomware operators, allowing cybercriminals that lack the necessary technical skills and knowledge to create their own ransomware families to participate in malicious operations.
Our analysis indicates that incidents involving the RA World ransomware and healthcare institutions are targeted, evidenced by the component files containing strings associated with the victim company.
Recommendations and solutions
Organizations can consider employing the following best practices to minimize the chances of falling victim to ransomware attacks:
- Assign administrative rights and access to employees only when required.
- Regularly update security products and conduct periodic scans.
- Safeguard essential data through routine backups to prevent potential loss.
- Practice caution with email and website interactions, downloading attachments, clicking URLs, and executing programs.
- Prompt users to report potentially suspicious emails and files to security teams.
- Educate users regularly on the risks and indicators of social engineering.
Using a multilayered security approach enables organizations to strengthen potential access points into their system, including endpoints, emails, web interfaces, and networks. The following security solutions are capable of identifying malicious components and anomalous behavior, enhancing enterprise security:
- Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise
The indicators of compromise for this entry can be found here.
MITRE ATT&CK Tactics and Techniques
Tactic | Technique | ID |
---|---|---|
Privelege Escalation | Group Policy Modification | T1484.001 |
Lateral Movement | Lateral Tool Transfer | T1570 |
Defense Evasion | Impair Defenses – Safe Mode Boot | T1562.009 |
Indicator Removal | T1070 | |
Indicator Removal – File Deletion | T1070.004 | |
Modify Registry | T1112 | |
Persistence | Create or Modify System Process – Windows Service | T1543.003 |
Impact | Data Encrypted for Impact | T1486 |
System Shutdown/Reboot | T1529 | |
Data Destruction | T1485 |