RTM Locker Ransomware Gang Targets VMware ESXi Servers – Source: heimdalsecurity.com

RTM Locker is now the most recent enterprise-targeting ransomware operation found to be using a Linux encryptor to target virtual machines on VMware ESXi systems. The RTM (Read The Manual) cybercrime group, which is well-known for disseminating a unique banking virus designed to steal money from victims, has been engaged in financial fraud since at least 2015.

Security researchers reported this month that the threat actors had launched a new Ransomware-as-a-Service (RaaS) operation and had started to recruit affiliates, including members of the former Conti cybercrime syndicate.

The ‘Read The Manual’ Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang’s strict rules… The business-like setup of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti.

Trellix on RTM Locker (Source)

Details About the Operation

According to BleepingComputer, proof indicates that the RaaS has been active for at least five months. Initially, security researchers observed only a Windows ransomware encryptor, but the operation expanded its targeting to Linux and VMware ESXi servers as well in the past months.

The corporation has switched to virtual machines (VMs) in recent years because they provide better device control and significantly more effective resource handling. As a result, an organization’s servers are frequently distributed among a combination of physical hardware and VMware ESXi servers hosting numerous virtual servers.

In order to properly encrypt all of the data needed by the organization, ransomware operations have adopted this trend and developed Linux encryptors targeted at ESXi servers.

This is a trend that BleepingComputer has seen with almost all enterprise-targeting ransomware operations, including Royal, LockBit, REvil, Hive, Black Basta, HelloKitty, and others.

Researchers analysed a Linux variant of the RTM Locker that is based on the leaked source code of the now-defunct Babuk ransomware. The encryptor appears to be created specifically for the purpose of attacking VMware ESXi systems, as it contains important references to commands used to manage virtual machines.

The encryptor will initially try to encrypt all VMware ESXi virtual machines by first compiling a list of active VMs using the command: esxcli vm process list >> vmlist.tmp.txt

Next, it terminates all the running virtual machines using the command: esxcli vm process kill -t=force -w

After all the VMs are terminated, the encryptor begins to encrypt files with the following extensions:

• .log (log files);
• .vmdk (virtual disks);
• .vmem (virtual machine memory);
• .vswp (swap files);
• .vmsn (VM snapshots).

RTM employs ECDH on Curve 25519 for asymmetric encryption, similar to Babuk, except instead of Sosemanuk, it utilizes ChaCha20 for symmetric encryption. There are currently no free decryptors for RTM Locker because the outcome is secure and hasn’t been cracked.

Apparently, the cryptographic algorithms are “statistically implemented” into the binary’s code, making the encryption process more reliable. When encrypting files, the encryptor appends the .RTM extension to the files’ names and after that creates a ransom note on the infected system, threatening the victim to contact RTM’s support within 48 hours via Tox to negotiate a ransom payment, or the stolen data will be published.

Currently, the group is not particularly active, although this can change in the future. The existence of an ESXi-targeting version is enough to make RTM Locker a significant threat to enterprises.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.