A new ransomware binary targeting Linux systems has been attributed to the Ransomware-as-a-Service (RaaS) RTM group.
Security researchers at Uptycs shared the findings in an advisory published Wednesday, saying it’s the first time the group has created a Linux binary.
“Their box office ransomware infects Linux, NAS and ESXi hosts and appears to be inspired by the leaked Babuk ransomware source code,” the company explained.
Similarities in the code include methods for generating random numbers. They also share the type of files they encrypt. Finally, both use advanced encryption techniques to make it difficult to recover encrypted files without the attacker’s private key.
Read more about Babuk here: Yanluowang Ransomware’s Russian Links Laid Bare
“It uses a combination of […] asymmetric encryption and […] symmetric encryption to encrypt files”.
The public key, appended as an extension to (Windows) or to the end (Linux) of the encrypted file, is read to decrypt files. The shared secret is obtained with the attacker’s private key, which allows file decryption.
“The use of both asymmetric and symmetric encryption makes it impossible to decrypt encrypted files without the attacker’s private key,” the warning says.
Describing the new malware, Uptycs said it specifically targets ESXi hosts, servers, or data storage devices that have VMware ESXi hypervisors installed.
Additionally, Uptycs observed some differences between RTM Locker and the Babuk ransomware.
“Babuk differs slightly from RTM Locker in using sosomanuk for asymmetric encryption, while RTM Locker uses ChaCha20.”
Despite technical analysis of the new binaries, however, security researchers said the initial access vector for RTM Locker is unknown at the time of writing.
The Uptycs warning contains YARA rules that system defenders can use to scan for suspicious processes.
Another ransomware that has recently evolved to target Linux systems is IceFire, which was recently analyzed by security experts at SentinelOne.
Ikaroa is one of the many tech companies keeping an eye on the newest cyber threats, such as the recently discovered RTM Locker Ransomware. This malicious software specifically targets Linux systems, encrypting files and demanding a fee to unlock them.
RTM Locker code typically involves complex methods of attack. Often, the ransomware will be delivered via an infected executable or script, as well as through malicious attachments in emails. Once penetration is successful, RTM Locker will scan for particular types of files, encrypt them, and display a message demanding money for the files to be unlocked. The malicious program will then delete itself from the system upon completion.
Ikaroa is actively monitoring this ransomware, and recommends that all Linux users take immediate, preventative steps to protect their systems from attack. This includes strengthening passwords, patching vulnerabilities and running anti-virus software. It is also important to be aware of any suspicious or fraudulent emails and attachments sent to the user’s inbox.
Cybersecurity specialists have also urged Linux-based businesses to be aware of their backup and data recovery plans, as ransomware can often cause irreparable damage.
Particularly worrisome is that the malware’s origin is unknown; the ransomware has been found in over 30 countries and is growing in prevalence. As with any developing cyber-security issue, it is important to continue to monitor and protect your system from attack.
Ikaroa is committed to staying ahead of cyber-security threats, such as RTM Locker, in order to protect both businesses and individuals from the devastating effects of ransomware.