Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
Global Smart Parcel Locker Market (2023 to 2028): Surge in Demand for Contactless Delivery and Flexible Service Hours Drives Growth
Aug 12, 2023Food Lockers Professional Market 2031 Business Insights with Key Trend Analysis
Aug 14, 2023Unpacking the Benefits of LAMEA Intelligent Parcel Lockers in Today's Digital Age
Aug 08, 2023Posten Bring rolls out 5,000 SwipBox lockers in three years
Aug 18, 2023Cleveron introduces battery
Aug 10, 2023Linux version of RTM Locker ransomware targets VMware ESXi servers
Jun 21, 2023RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.
The RTM (Read The Manual) cybercrime gang has been active in financial fraud since at least 2015, known for distributing a custom banking trojan used to steal money from victims.
This month, cybersecurity firm Trellix reported that RTM Locker had launched a new Ransomware-as-a-Service (Raas) operation and had begun to recruit affiliates, including those from the former Conti cybercrime syndicate.
"The 'Read The Manual' Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang's strict rules," explains Trellix.
"The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti."
Security researcher MalwareHunterTeam also shared a sample of RTM Locker with BleepingComputer in December 2022, indicating this RaaS has been active for at least five months.
At the time, Trellix and MalwareHunterTeam had only seen a Windows ransomware encryptor, but as Uptycs reported yesterday, RTM has expanded its targeting to Linux and VMware ESXi servers.
Over the past years, the enterprise has moved to virtual machines (VMs) as they offer improved device management and much more efficient resource handling. Due to this, an organization's servers are commonly spread over a mix of dedicated devices and VMware ESXi servers running multiple virtual servers.
Ransomware operations have followed this trend and created Linux encryptors dedicated to targeting ESXi servers to encrypt all data used by the enterprise properly.
BleepingComputer has seen this with almost all enterprise-targeting ransomware operations, including Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, Hive, and now, RTM Locker.
In a new report by Uptycs, researchers analyzed a Linux variant of the RTM Locker that is based on the leaked source code of the now-defunct Babuk ransomware.
The RTM Locker Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains numerous references to commands used to manage virtual machines.
When launched, the encryptor will first attempt to encrypt all VMware ESXi virtual machines by first gathering a list of running VMs using the following esxcli command:
The encryptor then terminates all running virtual machines using the following command:
After all the VMs are terminated, the encryptor begins to encrypt files that have the following file extensions - .log (log files), .vmdk (virtual disks), .vmem (virtual machine memory), .vswp (swap files), and .vmsn (VM snapshots).
All of these files are associated with virtual machines running on VMware ESXi.
Like Babuk, RTM uses a random number generation and ECDH on Curve25519 for asymmetric encryption, but instead of Sosemanuk, it relies on ChaCha20 for symmetric encryption.
The result is secure and hasn't been cracked yet, so there are no available free decryptors for RTM Locker at this time.
Uptycs also comments that the cryptographic algorithms are "statically implemented" into the binary's code, making the encryption process more reliable.
When encrypting files, the encryptor appends the .RTM file extension to encrypted file's names, and after it's done, creates ransom notes named !!! Warning !!! on the infected system.
The notes threaten to contact RTM's "support" within 48 hours via Tox to negotiate a ransom payment, or the victim's stolen data will be published.
In the past, RTM Locker used payment negotiation sites on the following TOR sites but moved to TOX recently for communications.
The existence of an ESXi-targeting version is enough to categorize RTM Locker as a significant threat to the enterprise.
However, the good news is that BleepingComputer's research has shown that the group is not particularly active, though that may change in the future.
Linux version of Abyss Locker ransomware targets VMware ESXi servers
Linux version of Akira ransomware targets VMware ESXi servers
The Week in Ransomware - August 4th 2023 - Targeting VMware ESXi
Meet NoEscape: Avaddon ransomware gang's likely successor
The Week in Ransomware - June 30th 2023 - Mistaken Identity
RTM operator promoting the RaaS on a hacker forumRTM's attack workflow.RTM!!! Warning !!!RTM ransom note sample