Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/c\/multistage-ra-world-ransomware.html\"><br \/>\n<meta property=\"og:title\" content=\"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO\"><br \/>\n<meta property=\"og:description\" content=\"The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/ra-world-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO\"><br \/>\n<meta name=\"twitter:description\" content=\"The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/ra-world-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.298308103295\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1822288663\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.746153846154\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.030769230769\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact.<\/p>\n<p class=\"article-details__author-by\">By: Nathaniel Morales, Katherine Casona, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Maristel Policarpio, Jacob Santos <time class=\"article-details__date\">March 04, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"31.969696969697\">\n<div readability=\"13.701298701299\">\n<p>The RA World (previously the RA Group) <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/Ransomware\">ransomware<\/a> has managed to successfully breach organizations around the world since its <a href=\"https:\/\/blog.talosintelligence.com\/ra-group-ransomware\/\">first appearance in April 2023<\/a>. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-1.jpg\" alt=\"Figure 1. Industries affected by RA World ransomware based on the group\u2019s leak site\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Industries affected by RA World ransomware based on the group\u2019s leak site<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-2.jpg\" alt=\"Figure 2. Countries affected by RA World ransomware based on the group\u2019s leak site\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Countries affected by RA World ransomware based on the group\u2019s leak site<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The Trend Micro threat hunting team came across an RA World attack targeting several healthcare organizations in the Latin American region that involve multi-stage components designed to ensure maximum impact and success in the group\u2019s operations.<\/p>\n<p><span class=\"body-subhead-title\">The RA World multi-stage attack<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"fccc83\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-3.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-3.jpg\" alt=\"Figure 3. The RA World attack chain\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. The RA World attack chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"45.5\">\n<div readability=\"36\">\n<h2><span class=\"body-subhead-title\">Initial Access <\/span><b><\/b><\/h2>\n<p>The RA World operators initially gain entry via compromised domain controllers and deliver their components to the SYSVOL share path for a machine Group Policy Object (GPO).<\/p>\n<h2><span class=\"body-subhead-title\">Privilege Escalation<\/span><b><\/b><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p>Our internal telemetry indicates that <i>Stage1.exe<\/i> is executed using PowerShell within the network, suggesting that Group Policy settings have likely been changed to allow PowerShell script execution. <\/p>\n<p><span class=\"blockquote\">$systemdir$\\WindowsPowerShell\\v1.0\\powershell.exe \u2192 \\\\ <servername>\\SYSVOL\\<domain>\\Policies\\<GUID>\\MACHINE\\Microsoft\\Stage1.exe<\/span><\/p>\n<p>Given that the malware is placed within the Group Policy infrastructure, it’s possible that the attacker has tampered with Group Policy settings or scripts to include the malicious payload. This could allow the malware to execute on targeted machines as part of the Group Policy processing, potentially affecting multiple machines within the domain. <\/p>\n<h2><span class=\"body-subhead-title\">Lateral Movement<\/span><b><\/b><\/h2>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Initially, <i>Stage1.exe<\/i> lists all domain controllers associated with the current domain. It then validates the current domain name and proceeds to iterate through each domain controller, terminating if specific conditions are met.<\/p>\n<p>These conditions include checking the first part of the domain controller’s name to see if it matches the local machine’s host name. Furthermore, <i>Stage1.exe<\/i> also checks for the existence of <i>Finish.exe<\/i> and <i>Exclude.exe<\/i> in the <i>%WINDIR%\\Help<\/i> Directory. The presence of <i>Finish.exe<\/i> suggests potential prior compromise, while <i>Exclude.exe<\/i> indicates a possible exclusion of the machine. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-4b.jpg\" alt=\" Figure 4. Stage1.exe checking if the conditions are met before proceeding \"> <\/p>\n<div class=\"caption-image-container \"><figcaption> Figure 4. Stage1.exe checking if the conditions are met before proceeding <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>After the initial check, the ransomware verifies if <i>Stage2.exe<\/i> is already present in the local machine\u2019s <i>%WINDIR%\\Help<\/i> directory. If not, it will copy <i>pay.txt<\/i> and <i>Stage2.exe<\/i> from the hardcoded SYSVOL Path to the local machine and proceed to execute <i>Stage2.exe<\/i>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-5b.jpg\" alt=\"Figure 5. Stage1.exe copying the payload to the local machine \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Stage1.exe copying the payload to the local machine <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>This analysis indicates a targeted attack, as the binary contains a hardcoded company domain name and SYSVOL path. Additionally, it suggests a strategy where payloads initially reside within the compromised machine and then executed to other local machines using Group Policies, signifying a multi-stage attack approach aimed at compromising systems within the target network. <\/p>\n<p><i>Stage2.exe<\/i> is responsible for delivering the ransomware payload. Like <i>stage1.exe<\/i>, it also contains embedded strings featuring the domain name of the targeted company. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-6b.jpg\" alt=\"Figure 6. Stage2.exe with the targeted company name indicated in the \u201cargs\u201d string\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Stage2.exe with the targeted company name indicated in the \u201cargs\u201d string<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h2><span class=\"body-subhead-title\">Persistence<\/span><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p>The program initiates by assessing whether the machine operating in safe mode. If not, it will perform a similar verification for <i>Exclude.exe<\/i> and <i>Finish.exe<\/i>. It then proceeds to create a new service named <i>MSOfficeRunOncelsls<\/i>, which includes <i>Stage2.exe<\/i> as a service configured to run in <i>Safe Mode with Networking<\/i>. <\/p>\n<h2><span class=\"body-subhead-title\">Defense Evasion<\/span><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p><i> <\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"9b1bc1\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-7.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-7.jpg\" alt=\"Figure 7. Creating a service and adding registry keys for Safe Mode\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"a00986\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-7b.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-7b.jpg\" alt=\"Figure 7. Creating a service and adding registry keys for Safe Mode\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Creating a service and adding registry keys for Safe Mode<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Additionally, it configures the Boot Configuration Data (BCD) to enable <i>Safe Mode with Networking<\/i>, and proceeds to start the machine to initiate the mode. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-8.jpg\" alt=\"Figure 8. Enabling Safe Mode \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Enabling Safe Mode <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>If the machine is already in Safe Mode, <i>Stage2.exe<\/i> similarly verifies the absence of <i>Exclude.exe<\/i> and <i>Finish.exe<\/i> on the system. Subsequently, it decrypts <i>pay.txt<\/i> using Base64 and AES encryption, transferring its contents to <i>Stage3.exe<\/i>, which serves as the ransomware payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-9.jpg\" alt=\"Figure 9. Decrypting the ransomware payload \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Decrypting the ransomware payload <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>After executing the ransomware payload, it will undergo cleanup activities, which will delete the malware remnants and create registry keys. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-10.jpg\" alt=\"Figure 10. The cleanup code\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. The cleanup code<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.353765323993\">\n<div readability=\"21.345008756567\">\n<h2><span class=\"body-subhead-title\">Impact<\/span><b><\/b><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p>Finally, the RA World ransomware payload (<i>Stage3.exe<\/i>) is deployed. The ransomware, which uses the leaked <a href=\"https:\/\/techmonitor.ai\/technology\/cybersecurity\/babuk-source-code-ransomware-malware\">Babuk source code<\/a>, drops the text file <i>Finish.exe<\/i> which only contains the string \u201c<i>Hello, World<\/i>\u201d. It also creates the mutex \u201c<i>For whom the bell tolls, it tolls for thee<\/i>.\u201d<b> <\/b>In earlier versions, it used the same mutex name as the Babuk ransomware.<\/p>\n<p>In the ransom note, the threat actor also included the list of recent victims who were unable to pay the ransom fee as part of extortion tactics, pressuring other victims to comply with the group\u2019s demands.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"49c30b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-11.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-11.jpg\" alt=\" Figure 11. The RA World ransom note \"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption> Figure 11. The RA World ransom note <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<h2><span class=\"body-subhead-title\">Anti-AV measures<\/span><\/h2>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p>The RA World operators also deploy <i>SD.bat<\/i>, a script that attempts to wipe out the Trend Micro folder. Furthermore, it uses the WMI command-line (WMIC) utility to gather information about the disks and leaves a log in <i>C:\\DISKLOG.TXT<\/i>. <\/p>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p>After the deletion of the Trend Micro folder, the ransomware will then remove the <i>Safe Mode with Networking<\/i> option created from the default boot configuration in Windows.<\/p>\n<h3><span class=\"body-subhead-title\"><\/span><b><\/b><\/h3>\n<p>Finally, it will immediately reboot the computer by force.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ra-world-12.jpg\" alt=\"Figure 12. The SD.bat script\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. The SD.bat script<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"43.19239738806\">\n<div readability=\"33.000932835821\">\n<p>Despite Babuk\u2019s \u201cretirement\u201d in 2021, the leakage of the gang\u2019s source code enabled numerous new threat groups to easily enter the ransomware landscape, including the operators of the RA World ransomware. Along with the emergence of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware-as-a-service-raas\">ransomware-as-a-service<\/a> (RaaS), these kinds of source code leaks lower the bar of entry for ransomware operators, allowing cybercriminals that lack the necessary technical skills and knowledge to create their own ransomware families to participate in malicious operations.<\/p>\n<p>Our analysis indicates that incidents involving the RA World ransomware and healthcare institutions are targeted, evidenced by the component files containing strings associated with the victim company.<\/p>\n<p>Organizations can consider employing the following best practices to minimize the chances of falling victim to ransomware attacks:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Assign administrative rights and access to employees only when required.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regularly update security products and conduct periodic scans.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Safeguard essential data through routine backups to prevent potential loss.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Practice caution with email and website interactions, downloading attachments, clicking URLs, and executing programs.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Prompt users to report potentially suspicious emails and files to security teams.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Educate users regularly on the risks and indicators of social engineering.<\/span><\/li>\n<\/ul>\n<p>Using a multilayered security approach enables organizations to strengthen potential access points into their system, including endpoints, emails, web interfaces, and networks. The following security solutions are capable of identifying malicious components and anomalous behavior, enhancing enterprise security:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">Trend Vision One<\/a>\u2122\u202fprovides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.\u202f\u202f<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">Trend Micro Apex One<\/a>\u2122\u202foffers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.\u202f<\/span><\/li>\n<\/ul>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/c\/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo\/ioc-ra-world.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div class=\"responsive-table-wrap\" readability=\"7\">\n<p><b><span class=\"body-subhead-title\">MITRE ATT&CK Tactics and Techniques<\/span><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"5\">\n<tr>\n<th scope=\"col\">Tactic<\/th>\n<th scope=\"col\">Technique<\/th>\n<th scope=\"col\">ID<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Privelege Escalation<\/b><\/td>\n<td>Group Policy Modification<\/td>\n<td>T1484.001<\/td>\n<\/tr>\n<tr>\n<td><b>Lateral Movement<\/b><\/td>\n<td>Lateral Tool Transfer<\/td>\n<td>T1570<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"4\"><b>Defense Evasion<\/b><\/td>\n<td>Impair Defenses \u2013 Safe Mode Boot<\/td>\n<td>T1562.009<\/td>\n<\/tr>\n<tr>\n<td>Indicator Removal<\/td>\n<td>T1070<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Indicator Removal \u2013 File Deletion<\/td>\n<td>T1070.004<\/td>\n<\/tr>\n<tr>\n<td>Modify Registry<\/td>\n<td>T1112<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Persistence<\/b><\/td>\n<td>Create or Modify System Process \u2013 Windows Service<\/td>\n<td>T1543.003<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"3\"><b>Impact<\/b><\/td>\n<td>Data Encrypted for Impact<\/td>\n<td>T1486<\/td>\n<\/tr>\n<tr>\n<td>System Shutdown\/Reboot<\/td>\n<td>T1529<\/td>\n<\/tr>\n<tr>\n<td>Data Destruction<\/td>\n<td>T1485<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/c\/multistage-ra-world-ransomware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":55487,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9508,9539,9509],"class_list":["post-55486","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-04T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ra-world-cover:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO\",\"datePublished\":\"2024-03-04T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/\"},\"wordCount\":1325,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/\",\"name\":\"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg\",\"datePublished\":\"2024-03-04T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg\",\"width\":789,\"height\":525},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/","og_locale":"en_US","og_type":"article","og_title":"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-03-04T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/ra-world-cover:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO","datePublished":"2024-03-04T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/"},"wordCount":1325,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/","url":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/","name":"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg","datePublished":"2024-03-04T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo.jpg","width":789,"height":525},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55486"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55486\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55487"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":55486,"date":"2024-03-04T00:00:00","date_gmt":"2024-03-04T00:00:00","guid":{"rendered":"urn:uuid:4716d93e-f778-b684-bfad-2509990b0deb"},"modified":"2024-03-04T00:00:00","modified_gmt":"2024-03-04T00:00:00","slug":"multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/multistage-ra-world-ransomware-uses-anti-av-tactics-exploits-gpo\/","title":{"rendered":"Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO"},"content":{"rendered":"