RTM Group Introduces a new Linux Ransomware
RTM Group, a well-known provider of ransomware-as-a-service, has launched a new Linux ransomware binary that can target ESXi and NAS hosts. The ransomware seems to have been inspired by the leaked source code of the Babuk ransomware and is already causing concern among security experts. RTM Locker, the Linux variant of the ransomware, uses asymmetric and symmetric encryption, making it nearly impossible to decrypt files without a private key. The malware is specifically aimed at ESXi hosts, as it includes two related commands. It uses Elliptic-curve Diffie–Hellman (ECDH) for both asymmetric and symmetric encryption and uses pthreads to speed up execution.
The initial infection vector for RTM Locker is currently unknown, but victims are instructed to contact the support team within 48 hours via Tox to avoid having their data published. The gang leverages affiliates to distribute the ransomware and intentionally avoids targeting high-profile entities such as law enforcement, critical infrastructure, and hospitals. The ransomware is statically stripped and compiled, allowing it to target a wider range of systems while making reverse engineering more difficult.
While RTM Locker and Babuk ransomware share some similarities, such as the use of the same random number generation method and asymmetric encryption, the asymmetric encryption algorithm used by Babuk is sosemanuk, while RTM Locker uses ChaCha20. It remains unclear if the two ransomware strains are related.
Protecting against RTM Locker requires a multifaceted approach. Security experts recommend using the YARA tool or a third-party tool to scan dubious processes to stay protected. Additionally, deploying a security solution with advanced detection capabilities is essential. However, prevention is always better than cure, and organizations can take several steps to minimize their risk of falling victim to a ransomware attack.
One of the most crucial steps is to ensure that all software and systems are up to date with the latest patches and updates. Many ransomware attacks exploit vulnerabilities that could have been fixed with a simple patch. Organizations should also limit access to critical systems and data, restrict user privileges, and implement a robust backup and recovery strategy.
The launch of the RTM Locker Linux ransomware highlights the growing threat of ransomware attacks and the need for organizations to remain vigilant. While the malware is currently targeting Linux-based systems, cybercriminals can develop similar strains for other platforms. Therefore, organizations must take a proactive approach to security and prioritize measures to minimize the risk of a ransomware attack. By following best practices for cybersecurity and implementing robust security solutions, organizations can protect themselves against the threat of ransomware and other cyber threats.
Author: Manjushree Gavitre