RTM Locker (also known as Read The Manual Locker) ransomware is now available in Linux. The ransomware deploys a Linux encryptor to target virtual machines on VMware ESXi hosts. It first aborts all virtual machines running on a compromised host, then encrypts files, changes the desktop wallpaper and drops the "How To Restore Your Files” ransom note threatening to publish stolen data if the victim doesn’t negotiate a payment.

The encryption uses POSIX Threads (pthreads) to speed up execution and Elliptic-curve Diffie–Hellman (ECDH) for both asymmetric encryption (via Curve25519 algorithm) and symmetric encryption (via Chacha20 algorithm).

The RTM cybercrime gang, a known ransomware-as-a-service (RaaS) provider, has been active in financial fraud since at least 2015, and is known for distributing a custom banking trojan. Uptycs researchers discovered RTM Locker during dark web hunting and identified and analyzed the Linux variant in a new report.

Impact

The ESXi version makes the ransomware a significant threat to enterprises. The ransomware’s use of both asymmetric and symmetric encryption makes it impossible to decrypt the encrypted files without the attacker's private key. Decryption requires reading the public key in the extension (in Windows) or the end of the file (in Linux) along with the attacker’s private key. No free decryptors are yet available. 

DXC perspective

The Uptycs threat research team has shared a YARA rule to detect RTM Locker. Organizations can help secure their infrastructures with advanced threat protection tools such as Uptycs XDR, whose built-in YARA rules (malware detection patterns) and other capabilities identify and mitigate RTM Locker ransomware.

We also recommend the following actions:

  • Monitor the network and endpoints for abnormal user behavior: Detect and kill malicious processes. Don’t allow user email accounts or web-based email traffic on servers.
  • Install and regularly update antivirus software on all hosts and enable real-time detection.
  • Regularly back up data, and password protect backup copies offline.
  • Install updates/patch operating systems, software and firmware as soon as updates/patches are released.
  • Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
  • Prevent phishing attempts to harvest user credentials by encouraging employees to be wary of suspicious emails, to avoid clicking on links or downloading attachments unless the recipient is certain that it came from a legitimate source, and to report any spam/phishing emails encountered.
  • Regularly train and test employees through ethical phishing campaigns to increase their awareness of various targeted attacks.
  • Conduct a security risk assessment to evaluate your posture and readiness to respond to ransomware threats.

Threat hunting tips

IOCs

SHA256

55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638

b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b

d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0

Uptycs YARA rule

rule Uptycs_Ransomware_RTM_Locker
{
    meta:
        malware_name = "RANSOMWARE"
        description = "Ransomware is a malware that encrypts sensitive information on your system and asks for ransom in exchange for restoring the encrypted data."
        author = "Uptycs Inc"
        version = "1"
    strings:
        $Ransomware_RTM_Locker_0 = "esxcli vm process list"  ascii wide
        $Ransomware_RTM_Locker_1 = "vmlist.tmp.txt"  ascii wide
        $Ransomware_RTM_Locker_2 = "esxcli vm process kill"  ascii wide
        $Ransomware_RTM_Locker_3 = "!!! Warning!!!"  ascii wide
        $Ransomware_RTM_Locker_4 = "Your network is infected by the RTM Locker command"  ascii wide
    condition:
        all of ($Ransomware_RTM_Locker*)
}