RA Group
RA Group is a financially motivated ransomware threat actor active by the first half of 2023. Reporting cited in the provided content states that RA Group was among advanced ransomware operations launched in early 2023 and that it leveraged Babuk ransomware source code leaked in June 2021. The content also states that RaLord is considered a successor or offshoot of the former RA Group, placing RA Group in the lineage associated with later Nova/RaLord activity. No credible evidence in the provided content links RA Group to a nation-state. Alias explicitly provided: ra_group.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a predecessor lineage to the RaLord ransomware family; mentioned only in the context of Nova being a successor/offshoot rather than as an active operator in this incident.
Referenced as a predecessor lineage to the RaLord ransomware family; mentioned only in the context of Nova being a successor/offshoot rather than as an active operator in this incident.
Ransomware actor listed as active in Q1 2025.
Ransomware operation reported to leverage leaked Babuk source code for customized operations.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.