Pierluigi Paganini
April 14, 2023
Researchers from cybersecurity firm Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules.
The group aims at flying below the radar, and like other groups, doesn’t target systems in the CIS region.
“The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti.” reads the analysis of the gang. “The gang’s modus operandi is focused on a single goal: to fly below the radar. Their goal is not to make headlines, but rather to make money while remaining unknown. The group’s notifications are posted in Russian and English, where the former is of better quality. Based on that, it isn’t surprising that the Commonwealth of Independent States in Eastern Europe and Asia (CIS) region is off-limits, ensuring no victims are made in that area.”
The group also avoids targeting morgues, hospitals, COVID-19 vaccine-related organizations, critical infrastructure, law enforcement, and other prominent companies to attract as little attention as possible.
The affiliates are obliged to remain active, or their account will be removed after 10 days without notifying them upfront.
The gang’s affiliates must keep the RTM Locker malware builds private to prevent they can be analyzed. The researchers discovered that the samples contain a self-delete mechanism which is invoked once the victim’s device is encrypted. The group threatens to ban every affiliate who does leak samples.
The redistribution of the RTM Locker by outsourcing the job to other self-hired affiliates is also forbidden, thus avoiding sample circulation.
The communication with the RTM gang is to be done only via the TOX messenger.
In an update provided by the gang, it admitted an internal conflict due to the ongoing war in Ukraine, which ultimately lead to data leakage.
“In connection with the current situation between Russia and Ukraine, there was an incident due to the fault of one of the participants about the drain of one of our servers, work is underway to transfer and restore data. The bleeds of the new software will be made for some time by several of our experienced negotiators. We apologize for the inconvenience!” reads the screenshot.
The attack flow sees the malware elevating privileges, shutting down selected processes and services (i.e. antivirus products), deleting shadow copies, and finally encrypting the files on the targeted systems.
The experts pointed out that this locker is not designed to be distributed via an automated campaign because it only properly works once it’s obtained the required administrative privileges.
“Since most corporate environments do not provide these permissions to most users, it is more likely that the locker is to be executed once a network is within an actor’s control already.” continues the report.
Threat actors can leverage phishing attacks, malspam campaigns, exploits for vulnerabilities in publicly exposed systems, or bought access to target networks to access brokers.
“Based on the group’s modus operandi, it looks like the group is opportunity based, rather than targeting a single industry, nor very specific corporations. The rules define a clear scope as to what is a potential target, allowing affiliates to operate as they see fit. The gang’s primary objective seems to make money, rather than a political motive.” concludes the report.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RTM locker)
