A group of threat actors known for their private ransomware-as-a-service (RaaS) offering called RTM Locker has developed a new ransomware strain capable of targeting Linux machines. The ransomware is designed to infect Linux, NAS, and ESXi hosts and uses a combination of ECDH on Curve25519 and Chacha20 to encrypt files. This marks the group’s first foray into the open-source operating system. The ransomware appears inspired by Babuk ransomware’s leaked source code.
The RTM Locker group avoids high-profile targets like critical infrastructure, law enforcement, and hospitals to prevent attention from security agencies and other forms of authority. Instead, it leverages affiliates to ransom victims and leaks stolen data should they refuse to pay. The ransomware is designed to single out ESXi hosts by terminating all virtual machines running on a compromised host before the encryption process starts.
Despite efforts to uncover everything about the ransomware, the initial infector employed to deliver the ransomware is currently unknown. The ransomware uses statical compilation and stripping to make reverse engineering more difficult and to allow the binary to run on more systems. The encryption function uses pthreads (aka POSIX threads) to speed up execution.
Successful encryption is followed by the attackers persuading victims to contact the support team within 48 hours via Tox or risk getting their data published. To decrypt a file locked with RTM Locker, the public key and the attacker’s private key must be appended to the end of the encrypted file.
Meanwhile, Microsoft has revealed that threat actors focus on vulnerable PaperCut servers to deploy Cl0p and LockBit ransomware.
