RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.
The RTM (Read The Manual) cybercrime gang has been active in financial fraud since at least 2015, known for distributing a custom banking trojan used to steal money from victims.
This month, cybersecurity firm Trellix reported that RTM Locker had launched a new Ransomware-as-a-Service (Raas) operation and had begun to recruit affiliates, including those from the former Conti cybercrime syndicate.
“The ‘Read The Manual’ Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang’s strict rules,” explains Trellix.
“The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti.”
At the time, Trellix and MalwareHunterTeam had only seen a Windows ransomware encryptor, but as Uptycs reported yesterday, RTM has expanded its targeting to Linux and VMware ESXi servers.
Targeting VMware ESXi
Over the past years, the enterprise has moved to virtual machines (VMs) as they offer improved device management and much more efficient resource handling. Due to this, an organization’s servers are commonly spread over a mix of dedicated devices and VMware ESXi servers running multiple virtual servers.
Ransomware operations have followed this trend and created Linux encryptors dedicated to targeting ESXi servers to encrypt all data used by the enterprise properly.
The RTM Locker Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains numerous references to commands used to manage virtual machines.
When launched, the encryptor will first attempt to encrypt all VMware ESXi virtual machines by first gathering a list of running VMs using the following esxcli command:
esxcli vm process list >> vmlist.tmp.txt
The encryptor then terminates all running virtual machines using the following command:
esxcli vm process kill -t=force -w
After all the VMs are terminated, the encryptor begins to encrypt files that have the following file extensions – .log (log files), .vmdk (virtual disks), .vmem (virtual machine memory), .vswp (swap files), and .vmsn (VM snapshots).
All of these files are associated with virtual machines running on VMware ESXi.
Like Babuk, RTM uses a random number generation and ECDH on Curve25519 for asymmetric encryption, but instead of Sosemanuk, it relies on ChaCha20 for symmetric encryption.
The result is secure and hasn’t been cracked yet, so there are no free decryptors available for RTM Locker.
Uptycs also comments that the cryptographic algorithms are “statically implemented” into the binary’s code, making the encryption process more reliable.
When encrypting files, the encryptor appends the .RTM file extension to encrypted file’s names, and after it’s done, creates ransom notes named !!! Warning !!! on the infected system.
The notes threaten to contact RTM’s “support” within 48 hours via Tox to negotiate a ransom payment, or the victim’s stolen data will be published.
In the past, RTM Locker used payment negotiation sites on the following TOR sites but moved to TOX recently for communications.
The existence of an ESXi-targeting version is enough to categorize RTM Locker as a significant threat to the enterprise.