A new variant of RTM ransomware-as-a-service (RaaS) has been discovered, which targets Linux, NAS, and ESXi systems. This new ransomware binary is based on the leaked source code of Babuk ransomware from 2021 and uses a combination of asymmetric and symmetric encryption to encrypt files.
The group behind RTM Locker, an emerging cybercriminal gang, operates a RaaS and provides its affiliates with strict rules to avoid attracting attention. They avoid targeting certain organizations, such as hospitals, COVID-19 vaccine-related organizations, and law enforcement. The group’s affiliates must remain active, or their account will be removed after 10 days without prior notification.
To avoid being analyzed, they must keep RTM Locker malware builds private. The samples contain a self-delete mechanism, which is invoked once the victim’s device is encrypted.
The group threatens to ban any affiliate who leaks the samples.
RTM Locker specifically targets ESXi hosts, and the malicious code supports two ESXi commands that list all running VMs and kill them. Uptycs discovered this during their dark web hunting. The initial access vector for the ransomware is unknown, and once encrypted, a ransom note is dropped in each directory containing the encrypted files.
The note instructs victims to contact the operators via Tox and threatens to leak stolen files if they do not respond within 48 hours. The combination of asymmetric and symmetric encryption makes it impossible to decrypt files without the attacker’s private key.
