RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

April 27, 2023IRavie LakshmananLinux / Endpoint Security

Ransomware Linux

The threat actors behind it RTM Locker have developed a strain of ransomware that is capable of targeting Linux machines, marking the group’s first foray into the open source operating system.

“Their box office ransomware infects Linux, NAS and ESXi hosts and appears to be inspired by the leaked Babuk ransomware source code,” Uptycs said in a new report released Wednesday. “Uses a combination of ECDH in Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.”

RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that has been known to be active since at least 2015.

The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement and hospitals to attract as little attention as possible. It also leverages affiliates to ransom victims, as well as leaking stolen data if they refuse to pay.

The Linux flavor is specifically designed to distinguish ESXi hosts by terminating all virtual machines running on a compromised host before starting the encryption process. The exact initial infector used to deliver the ransomware is currently unknown.

NAS and ESXi hosts

“It is statically compiled and removed, making reverse engineering difficult and allowing the binary to run on more systems,” Uptycs explained. “The encryption function also uses pthreads (also known as POSIX threads) to speed up execution.”


Zero Trust + Deception – Learn to Outsmart Attackers!

Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!

Save my seat!

After successful encryption, victims are asked to contact the support team within 48 hours via Tox or risk having their data published. Decrypting a file locked with RTM Locker requires the public key appended to the end of the encrypted file and the attacker’s private key.

The development comes as Microsoft revealed that vulnerable PaperCut servers are being actively targeted by threat actors to deploy Cl0p and LockBit ransomware.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Ikaroa, a leading full stack tech company, has recently been alerted to a new strain of Linux ransomware targeting NAS and ESXi Hosts. The new strain, RTM Locker, has been described as the first of its kind to target such networks and systems.

The attack, which is believed to originate from Russia, is said to be a file encryption ransomware, a type of malware which encrypts files on a compromised computer, making them inaccessible until a ransom is paid.

In a press release issued in early January 2021, Ikaroa noted that the majority of reported incidents have been with NAS storage devices and ESXi hosted storage systems. The ransomware is known to encrypt files on the infected machine, as well as files stored on remote network drives.

Ikaroa recommends that organizations immediately assess their systems to make sure they are secure, verifying that they have the latest security updates and patches installed. In addition to this, users should practice good cyber hygiene by regularly backing up files and data, in case they are affected by this threat or any other similar hacker attack.

With the increasing prevalence of ransomware attacks, organizations must take proactive measures to secure their systems and networks. Ikaroa is committed to providing our customers with the advanced security technology and anti-malware defenses needed to protect against any form of malware, including the latest Linux ransomware strains like RTM Locker.


Leave a Reply

Your email address will not be published. Required fields are marked *