Menu
Browse

Cyber Threat Actor: RA World

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
2 incidents
Profile

RA World is a ransomware‑focused threat actor that operates under the aliases Ransomware‑Admins and RWA and has been linked to Russia in open‑source reporting. The group emerged as a rebrand of the earlier RA Group and has increased its activity in recent years, presenting itself as a financially motivated criminal enterprise. Public sources describe RA World as employing ransomware to encrypt victim systems while simultaneously exfiltrating data for double‑extortion purposes.

The actor’s observed targeting includes the healthcare and financial sectors, as explicitly noted in research that describes its typical focus on those industries. Incidents attributed to RA World have affected a telecommunications provider in New Zealand and the Singapore branch of a global trading and services firm, indicating a willingness to strike organizations that hold valuable customer, financial, or operational data. Their strategic objective appears to be monetary gain through ransom demands and the threat of leaking stolen information, rather than espionage or pure disruption.

Technically, RA World deploys a customized variant of the Babuk ransomware family and gains initial access by exploiting misconfigured internet‑facing devices. Once inside a network, the group engages in credential theft and lateral movement to expand its reach before deploying the ransomware payload. After encryption, they routinely leak a sample of the exfiltrated data to validate the breach and pressure victims into paying, a tactic evident in both the Compass Communications and Melchers incidents.

Researchers have suggested possible ties between RA World and the Chinese‑linked threat actor Bronze Starlight, although no definitive state nexus has been publicly confirmed. The group’s notable campaigns include the December 2024 ransomware attack on Compass Communications, which resulted in the theft of 250 GB of sensitive data, and the June 2024 attack on Melchers’ Singapore branch, where 15 GB of financial and business documents were allegedly exfiltrated. These cases illustrate RA World’s pattern of ransomware deployment, data theft, and public leakage as a means of extortion.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources