RTM Locker RaaS Group Turns to Linux, NAS and ESXi HostsHighly Structured Group Using Traces of Babuk Ransomware's Leaked Source Code
RTM Locker ransomware-as-a-service operators have now turned their attention to Linux, network-attached storage devices and ESXi hosts.
The group appears to be using a new ransomware strain that shows traces of Babuk ransomware's leaked source code, said researchers at cybersecurity firm Uptycs.
Eset identified the first traces of the criminal group's activities in 2015 when it primarily distributed banking malware through phishing and drive-by download campaigns. Over the years, the group has evolved to deploy a ransomware payload on compromised hosts and now for the first time has designed a Linux binary to infect network-attached storage and ESXi hosts.
The Linux Variant
Enterprises have seen an uptick in the adoption of virtual machine ESXi servers and NAS, which offer several advantages over physical servers. Ransomware operators and RaaS providers have followed the trend.
The Linux variant of the RTM Locker is reportedly inspired from the leaked source code of the now-defunct Babuk ransomware. Both use random number generation and have implemented ECDH in Curve25519 for asymmetric encryption and ChaCha for symmetric encryption.
Also, both Linux versions encrypt files using the
.vmsn file extensions.
The Linux variant is specifically used to target ESXi hosts, and it terminates all VMs running on a compromised host before starting the encryption process. Uptycs researchers were unable to determine the initial access vector.
The encrypted files have an
.RTM extension and after running the encryption process successfully, the group, like other operators, leaves a ransom note with a Tox ID as a contact for decryption after paying the ransom.
Researchers said designing a decryptor for the infected files appears unlikely since the RTM group uses a combination of asymmetric and symmetric encryption, which "makes decryption impossible without the private key."
RTM Has Strict Rules
A Windows ransomware variant from the same group was disclosed earlier this month by Trellix which described the operators as private RaaS providers that work on an affiliate-based model under stringent "rules and exceptions." Trellix compared the workings of the group with a regular day-job business, "where affiliates are required to remain active or notify the gang of their leave," displaying "the organizational maturity of the group."
One of RTM's rules is avoiding targeting organizations located inside the former Soviet Union and critical infrastructure organizations such as hospitals, vaccine and medicine-related corporations, and law enforcement. These specifications are made to avoid attention in the form of news headlines, Trellix said.
Linking any ongoing negotiation chat publicly is also strictly prohibited and could lead to the affiliate being banned. RTM Locker's malware builds are strictly safeguarded to avoid external analysis. The "samples contain a self-delete mechanism, which is invoked once the victim's device is encrypted," Trellix said. "This further strengthens the stealthy nature of their operations, [and] affiliates who do leak samples risk a ban, based on the affiliated ID within the locker."
The rules help define the potential targets, allowing affiliates to operate as they see fit. The gang's primary objective is to make money, rather than having a political motive, the researchers said.