RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.
The RTM (Read The Manual) cybercrime gang has been active in financial fraud since at least 2015, known for distributing a custom banking trojan used to steal money from victims.
This month, cybersecurity firm Trellix reported that RTM Locker had launched a new Ransomware-as-a-Service (Raas) operation and had begun to recruit affiliates, including those from the former Conti cybercrime syndicate.
“The ‘Read The Manual’ Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang’s strict rules,” explains Trellix.
“The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti.”
Security researcher MalwareHunterTeam also shared a sample of RTM Locker with BleepingComputer in December 2022, indicating this RaaS has been active for at least five months.
At the time, Trellix and MalwareHunterTeam had only seen a Windows ransomware encryptor, but as Uptycs reported yesterday, RTM has expanded its targeting to Linux and VMware ESXi servers.
Targeting VMware ESXi
Over the past years, the enterprise has moved to virtual machines (VMs) as they offer improved device management and much more efficient resource handling. Due to this, an organization’s servers are commonly spread over a mix of dedicated devices and VMware ESXi servers running multiple virtual servers.
Ransomware operations have followed this trend and created Linux encryptors dedicated to targeting ESXi servers to encrypt all data used by the enterprise properly.
BleepingComputer has seen this with almost all enterprise-targeting ransomware operations, including Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, Hive, and now, RTM Locker.
In a new report by Uptycs, researchers analyzed a Linux variant of the RTM Locker that is based on the leaked source code of the now-defunct Babuk ransomware.
The RTM Locker Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains numerous references to commands used to manage virtual machines.
When launched, the encryptor will first attempt to encrypt all VMware ESXi virtual machines by first gathering a list of running VMs using the following esxcli command:
esxcli vm process list >> vmlist.tmp.txt
The encryptor then terminates all running virtual machines using the following command:
esxcli vm process kill -t=force -w
After all the VMs are terminated, the encryptor begins to encrypt files that have the following file extensions – .log (log files), .vmdk (virtual disks), .vmem (virtual machine memory), .vswp (swap files), and .vmsn (VM snapshots).
All of these files are associated with virtual machines running on VMware ESXi.
Like Babuk, RTM uses a random number generation and ECDH on Curve25519 for asymmetric encryption, but instead of Sosemanuk, it relies on ChaCha20 for symmetric encryption.
The result is secure and hasn’t been cracked yet, so there are no available free decryptors for RTM Locker at this time.
Uptycs also comments that the cryptographic algorithms are “statically implemented” into the binary’s code, making the encryption process more reliable.
When encrypting files, the encryptor appends the .RTM file extension to encrypted file’s names, and after it’s done, creates ransom notes named !!! Warning !!! on the infected system.
The notes threaten to contact RTM’s “support” within 48 hours via Tox to negotiate a ransom payment, or the victim’s stolen data will be published.
In the past, RTM Locker used payment negotiation sites on the following TOR sites but moved to TOX recently for communications.
The existence of an ESXi-targeting version is enough to categorize RTM Locker as a significant threat to the enterprise.
However, the good news is that BleepingComputer’s research has shown that the group is not particularly active, though that may change in the future.