New Ransomware Groups to Watch - RA World and DragonForce

executive summary

In 2024, Comparitech reported that the average extortion demand for ransomware attacks exceeded $5.2 million in the first half of the year. This figure is based on 56 documented ransom demands from January to June 2024, with the highest being a [1]$100 million demand following an attack on India’s Regional Cancer Center in April 2024.

The cybersecurity landscape has seen a significant surge in ransomware payments, with the average payment increasing by over 500%. According to Sophos' "State of Ransomware 2024" report, the average ransom payment rose to $2 million in the past year, up from $400,000 in 2023. Additionally, Marsh highlighted that in 2023, the median ransom demand jumped to [2]$20 million from $1.4 million in 2022, and the average payment soared to $6.5 million from $335,000 in 2022.

Recently, new ransomware groups such as RA World and DragonForce have emerged, significantly increasing ransomware attacks across the healthcare, manufacturing, technology, and finance sectors. These groups are making headlines with their targeted attacks on organizations. Let’s explore RA World and DragonForce and discuss recommendations on how organizations can protect themselves from these ransomware threats.

[1] Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - Infosecurity Magazine (infosecurity-magazine.com)

[2] Ransomware: A persistent challenge in cyber insurance claims | Marsh

ra world

RA World ransomware, previously known as the RA Group, has been a significant threat to organizations globally since its first appearance in April 2023. Although the threat actor targets a wide range of organizations, a significant number of attacks have occurred in the U.S, with additional incidents reported in Germany, India, and Taiwan. The group primarily targets the healthcare and financial sectors.

RA World leverages the leaked Babuk ransomware source code from 2021 as a foundation for its operations. This strategy allows RA World to maintain agility and expedite its attacks, while also developing distinctive methods tailored to its targets. Trend Micro noted in their analysis of the threat actor that despite utilizing Babuk as its core payload, RA World continues to refine its attack techniques and operational tactics over time.

Image 1: Attack Chain

Source: Trend Micro

TACTICS + TECHNIQUES

RA World begins its attack by compromising domain controllers, gaining initial access to the target network. The attackers deploy malicious components into the SYSVOL share path, exploiting the Group Policy Object (GPO) infrastructure. This strategic placement allows the ransomware to execute during routine Group Policy processing, potentially affecting multiple machines within the domain.

Once inside the network, the ransomware uses a PowerShell script to execute Stage1.exe, which plays a crucial role in identifying and validating domain controllers. Stage1.exe then proceeds to deploy Stage2.exe across the network, leveraging the compromised Group Policy settings for lateral movement.

To ensure persistence within the compromised system, RA World creates a new service and manipulates the Boot Configuration Data (BCD) to enable Safe Mode with Networking. These actions, coupled with registry modifications, allow the ransomware to evade detection and maintain a foothold in the victim's environment.

The final stage of the attack involves deploying Stage3.exe, the ransomware payload, which encrypts data on compromised machines. RA World's ransom note uses extortion tactics, listing recent victims and pressuring others to comply with ransom demands.

In addition to data encryption, RA World operators deploy scripts to disable antivirus measures and manipulate system settings. These actions include wiping specific directories and removing Safe Mode options, culminating in a forced system reboot to ensure the ransomware's effectiveness.

DRAGONFORCE

DragonForce, also a relatively new ransomware strain, has gained significant attention due to its aggressive tactics and high-profile attacks targeting various organizations globally. The group first surfaced in November 2023, establishing its presence with notable attacks on diverse targets including the Ohio Lottery, Yakult Australia, and Coca-Cola Singapore.

One of the most significant incidents attributed to DragonForce involved the attack on the Aussizz Group, a leading educational and migration consultancy. The ransomware gang claimed responsibility for exfiltrating and encrypting nearly 300GB of sensitive data, showcasing their ability to target and impact large organizations with significant data stores.

A hacktivist group named DragonForce, operating out of Malaysia, executed several campaigns against government agencies and organizations in the Middle East and Asia during 2021 and 2022. In 2022, the group declared plans to release ransomware. However, with limited available information, it remains unclear if the recently identified DragonForce ransomware is linked to this hacktivist group.

In a unique incident involving the government of Palau in March 2024, DragonForce and another ransomware group, LockBit, both claimed responsibility for locking government systems. The ransom notes provided conflicting instructions, indicative of internal discord or miscommunication among the cybercriminals. Palauan authorities, however, denied any engagement with the attackers.

TACTICS + TECHNIQUES

Like many ransomware groups, DragonForce uses a dual extortion strategy, locking out victims from their systems through encryption and threatening to expose stolen data on the dark web unless ransom demands are met.

However, DragonForce has also distinguished itself not only through its operational ruthlessness but also through unconventional methods such as publishing audio recordings of negotiations with victims on their dark web site. This approach appears aimed at intensifying pressure on organizations to comply with ransom demands.

DragonForce typically begins its attacks through phishing emails or by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) solutions. Once it infiltrates the network, DragonForce can quickly propagate, using encryption algorithms to secure critical systems and data.

Recent reports by Cyble Research & Intelligence Labs revealed DragonForce's use of a ransomware builder leaked from the LockBit group, specifically the LockBit Black variant. In September 2022, a user on X (Twitter) posted a link to download the LockBit ransomware builder. This tool allows threat actors to tailor the ransomware payload to their specific needs.

It also comes with a "config.json" file that allows for customization of various features, such as encryption mode, filename encryption, impersonation, exclusion of certain files and folders from encryption, and exclusion based on language for CIS countries. The configuration file also includes a template for the ransom note. DragonForce appears to be leveraging existing malware infrastructure to strengthen its own capabilities and streamline operations.

LOCKBIT

LockBit Black, or LockBit 3.0, is the third iteration of the LockBit ransomware. It was launched in March 2022 and was leaked six months later by a discontented developer within the group.

In response, LockBit administrators introduced a so-called new version, named LockBit Green, which was later revealed to be a rebranded Conti encryptor.

Despite the LockBit group's infrastructure being dismantled by Operation Cronos, an international law enforcement initiative, in February 2024, the LockBit Black builder remains accessible to the public.

The discovery of DragonForce ransomware and its connection to the leaked LockBit Black ransomware builder stresses the increasing danger of using leaked malware-building tools in cyberattacks. These tools allow threat actors to easily create and deploy customized ransomware, making it easier for them to attack organizations.

DRAGONFORCE SEEKS NEW PARTNERS

In June 2024, DragonForce announced on a dark web forum that they are actively seeking new partners to join their Ransomware-as-a-Service (RaaS) operation. This initiative aims to strengthen their capabilities by recruiting specialists such as access specialists and pentesters.

In their recruitment pitch, DragonForce offers partners access to their established infrastructure and advanced tools. Partners will receive an 80% revenue and benefit from state-of-the-art technologies, as well as fully automated operational processes - enhancing efficiency and operations.

DragonForce’s operational framework includes a comprehensive control panel for partners to monitor attack progress and manage operational aspects in real-time. They facilitate automated file issuance for attacks and provide capabilities for testing scripts, ensuring partners can validate tools and techniques before deployment in actual attacks.

CONCLUSION

Ransomware threats are becoming more sophisticated and persistent, affecting organizations globally. DragonForce ransomware has gained attention for using leaked ransomware builders from LockBit and using tactics that threaten both data encryption and exposure. The group has targeted major entities like the Ohio Lottery, Yakult Australia, and the Aussizz Group, showcasing their ability to disrupt and damage large organizations.

Similarly, RA World, previously known as the RA Group, is another significant ransomware threat. They have attacked organizations in the U.S, Germany, India, and Taiwan, particularly focusing on the healthcare, insurance, and financial sectors. RA World uses Babuk's leaked source code, compromising domain controllers, and altering Group Policy settings to infiltrate networks and launch multi-stage attacks. This approach makes them difficult to detect and allows them to cause extensive damage.

The increasing threat from ransomware groups like DragonForce and RA World means that there is an urgent need for strong cybersecurity measures. Organizations must regularly back up data, keep security software updated, and educate employees about cyber threats. As ransomware tactics evolve, it is important for organizations and cyber security professionals to stay alert and use advanced security strategies to protect their data.

AVERTIUM'S RECOMMENDATIONS

RA World & DragonForce:

• Limit Administrative Privileges - Reduce the attack surface by limiting administrative privileges to essential personnel only. Adopt the principle of least privilege (PoLP) to minimize pathways for malware propagation within the network.
  
  
• Maintain Up-to-Date Security Software - Ensure all security software, including antivirus, anti-malware, and firewalls, is regularly updated to detect and block evolving threats.
  
  
• Regularly Backup Critical Data - Frequently back up critical data and store backups securely offline. Test backup restoration processes to ensure data integrity and quick recovery in case of ransomware encryption or data loss.
  
  
• Educate Employees on Cybersecurity Best Practices - Train employees to recognize phishing attempts, suspicious emails, and other common attack vectors. Foster a culture of security awareness and encourage prompt reporting of potential security threats.
  
  
• Advanced Anti-Malware Solutions - Deploy robust anti-malware tools equipped with signature-based detection, heuristic analysis, and machine learning.
  
  
• Enhanced Authentication and Access Controls - Implement strong authentication methods like Multi-Factor Authentication (MFA) and enforce strict access controls to safeguard against unauthorized access attempts.
  
  
• Regular Security Audits and Vulnerability Management - Conduct routine security audits and vulnerability assessments to identify and fix potential weaknesses in network configurations, system settings, and applications.

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from RA World and DragonForce:

• Fusion MXDRis the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
• Avertium uses KnowBe4 as a professional service for user awareness training. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.

MITRE MAP(s)

DragonForce

RA World

INDICATORS OF COMPROMISE (IOCs)

DragonForce

• CVEs
  • CVE-2021-44228
  • CVE-2023-46805
  • CVE-2024-21412
  • CVE-2024-21887
  • CVE-2024-21893
• MD5
  • 2915b3f8b703eb744fc54c81f4a9c67f
  • 7bdbd180c081fa63ca94f9c22c457376
  • d54bae930b038950c2947f5397c13f84
• SHA1
  • bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c
  • e10361a11f8a7f232ac3cb2125c1875a0a69a3e4
  • e164bbaf848fa5d46fa42f62402a1c55330ef562
• SHA256
  • 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b
  • 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
  • a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

RA World

• MD5
  • 65a8e27d8879283831b664bd8b7f0ad4
  • 7844c0c39d820d373569bbc1c8dfa8ee
• SHA1
  • 0a0a9f2a6772942557ab5355d76af442f8f65e01
  • ee4fc26e3ec51ce2fc260583cdc94c40b1af3dae
• SHA256
  • 07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
  • 330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed5819
  • 62cd46988f179edf8013515c44cbb7563fc216d4e703a2a2a249fe8634617700
  • 9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de
  • a4dfa099e1f52256ad4a3b2db961e158832b739126b80677f82b0722b0ea5e59
  • ab7d8832e35bba30df50a7cca7cefd9351be4c5e8961be2d0b27db6cd22fc036
  • dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f
  • feab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c

Supporting Documentation

Fast-Growing RA Ransomware Group Goes Global (darkreading.com)

RA World Ransomware: what’s the impact and who are the victims? | by BAlves | Medium

Fast-Growing RA Ransomware Group Goes Global (darkreading.com)

Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO - LevelBlue - Open Threat Exchange (alienvault.com)

RA World Ransomware Exploits Group Policy infrastructure (gbhackers.com)

Ransomware Group “RA World” Changes Its’ Name and Begins Targeting Countries Around the Globe (knowbe4.com)

Threat Actor "DragonForce" Seeks New Partners  (redhotcyber.com)

DragonForce Ransomware Breach Exposes Davis & Young (halcyon.ai)

New DragonForce Ransomware Exploits Leaked LOCKBIT Builder - LevelBlue - Open Threat Exchange (alienvault.com)

How MFA Failures are Fueling a 500% Surge in Ransomware Losses (thehackernews.com)

Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - Infosecurity Magazine (infosecurity-magazine.com)

Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO | Trend Micro (UAE)

new-dragonforce-ransomware-may1-15-12.pdf (mphasis.com)

Dark Web Profile: DragonForce Ransomware - SOCRadar® Cyber Intelligence Inc.

DragonForce Ransomware - What You Need To Know | Tripwire

LOCKBIT Black's Legacy: Unraveling The DragonForce Ransomware Connection - Cyble

DragonForce Ransomware Group Uses LockBit’s Leaked Builder - Infosecurity Magazine (infosecurity-magazine.com)

Ransomware: A persistent challenge in cyber insurance claims | Marsh

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.