RTM group (aka Read The Manual gang), the provider of RTM Locker RaaS, has developed a new ransomware binary designed to target Linux-based machines. The ransomware is capable of infecting Linux, ESXi, and NAS hosts. It seems to be inspired by the leaked source code of Babuk ransomware.
The RTM Locker
According to Uptycs, this Linux variant of RTM Locker is specifically aimed at ESXi hosts, as it includes two related commands.
It uses asymmetric and symmetric encryption, which makes it impossible to decrypt files without a private key.
The initial infection vector is at present not known. However, after successful encryption, victims are told to contact the support team within 48 hours via Tox or risk getting their data published.
The ransomware group leverages affiliates for the very purpose.
Babuk connection?
Several similarities have been observed between the Babuk ransomware and RTM Locker. Both malware use the same random number generation method and asymmetric encryption. However, what makes them different is the asymmetric encryption. Babuk uses sosemanuk for asymmetric encryption, while RTM Locker uses ChaCha20.
Additional technical details
RTM Locker targets ESXi hosts by aborting all virtual machines running on a compromised host before the encryption process starts.
It is statically stripped and compiled, allowing the binary to target more systems while making reverse engineering more challenging. The encryption uses pthreads to speed up execution.
For encryption, it uses Elliptic-curve Diffie–Hellman (ECDH) for both asymmetric encryption (via Curve25519 algorithm) and symmetric encryption (via Chacha20 algorithm).
The gang intentionally avoids high-profile targets such as law enforcement, critical infrastructure, and hospitals.
Conclusion
RTM Locker is already a challenge to reverse engineer and shares similarities with the leaked code of Babuk ransomware. Further, this Linux ransomware strain targets NAS/ESXi hosts. The experts suggest using the YARA tool or a third-party tool to scan dubious processes to stay protected. Additionally, deploy a security solution that comes with advanced detection capabilities.