Threat Actor Profile
High Cybercriminal
Description

RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware.

Confidence Score
100%
Known Aliases
ragroup
Tags
ransomware ransomware.live ragroup
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'RA Group, also known as RA World, first surfaced in April '
                '2023, utilizing a custom variant of the Babuk ransomware.',
 'firstseen': '2023-04-27T12:51:07.620931+00:00',
 'group': 'raworld',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': '2024-12-28T11:49:04.653639+00:00',
 'locations': [{'available': False,
                'fqdn': 'pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion',
                'slug': 'http://pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion',
                'title': 'RA World',
                'type': 'DLS'},
               {'available': False,
                'fqdn': 'raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion',
                'slug': 'http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion',
                'title': 'RA World',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 2,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': 'pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion',
                                    'slug': 'http://pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion',
                                    'title': 'RA World',
                                    'type': 'DLS'},
                                   {'available': False,
                                    'fqdn': 'raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion',
                                    'slug': 'http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion',
                                    'title': 'RA World',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 2,
                     'ransomware_live_group': 'raworld',
                     'tools': {'CredentialTheft': ['ProcDump'],
                               'DefenseEvasion': ['Bluetooth Stack for Windows '
                                                  'by Toshiba (toshdpdb.exe)'],
                               'DiscoveryEnum': [],
                               'Exfiltration': [],
                               'LOLBAS': ['PsExec'],
                               'Networking': ['NPS'],
                               'Offsec': ['Impacket'],
                               'RMM-Tools': []},
                     'url': 'https://www.ransomware.live/group/raworld',
                     'victims': 126,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': ['ProcDump'],
           'DefenseEvasion': ['Bluetooth Stack for Windows by Toshiba '
                              '(toshdpdb.exe)'],
           'DiscoveryEnum': [],
           'Exfiltration': [],
           'LOLBAS': ['PsExec'],
           'Networking': ['NPS'],
           'Offsec': ['Impacket'],
           'RMM-Tools': []},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/raworld',
 'victims': 126,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home