Cybersecurity researchers at cybersecurity firm Trellix have detailed the tactics of a new emerging RTM Locker (“Read The Manual” Locker) group that is a ransomware-as-a-Service (RaaS) provider that attacks for profit.
RTM Locker uses affiliates to collect ransom from victims, and all affiliates must abide by the group's strict rules. The group's business structure, in which affiliates must remain active and notify the gang of their departure, shows the group's organizational maturity, as has been seen in other groups such as Conti.
The group's key feature is its ability to operate in the shadows, deliberately avoiding high-profile targets that might draw attention to the actions of hackers. Therefore, the CIS countries, as well as morgues, hospitals, corporations associated with the COVID-19 vaccine, critical infrastructure, law enforcement agencies and other companies are excluded from the list of RTM Locker targets.
Malicious builds of RTM Locker are bound by strict regulations that prohibit affiliates from leaking samples, otherwise they risk being blocked. Among the other rules laid out is a clause that blocks affiliates if they remain inactive for 10 days without notice.
The requirement that the gang's affiliates must be active makes it difficult for insiders and cybersecurity researchers to infiltrate the gang.
Experts have suggested that the group's ransomware runs on networks that are already under the control of the attacker. This indicates that the systems may have been compromised in other ways, such as phishing attacks, malicious spam, or the use of vulnerable servers available on the Internet.
The RTM Locker payload is capable of doing the following:
- elevate privileges;
- disable antivirus services;
- disable backup services;
- delete shadow copies before starting the encryption procedure;
- empty the trash to prevent recovery;
- change wallpaper;
- clear event logs;
- execute a shell command.
The findings suggest that cybercriminal groups will continue to use new tactics and methods to help them remain undetected by both investigators and law enforcement.