Cybersecurity researchers have discovered an ’emerging’ cybercrime dubbed ‘Read The Manual’ (RTM) Locker, which acts as a private Ransomware as a Service (RaaS) provider and carries out opportunistic attacks to generate illicit profits. I elaborated on the collective tactics.
“The ‘read the manual’ locker gang uses affiliates to hold victims for ransom, and all victims are forced to follow the gang’s strict rules,” said cybersecurity firm Trellix. said in a report shared with The Hacker News.
“The group’s business-like structure that affiliates must either continue their activities or notify the gang of their leave indicates the group’s organizational maturity, as has also been observed in other groups such as Conti. I have.”
First documented by ESET in February 2017, RTM began in 2015 as banking malware targeting Russian businesses via drive-by downloads, spam, and phishing emails. The attack chain launched by this group has since evolved to deploy ransomware payloads on compromised hosts.
In March 2021, this Russian-speaking group was allegedly involved in an extortion and extortion campaign deploying three threats, including a financial Trojan, a legitimate remote access tool, and a ransomware strain called Quoter. .
Trellix told The Hacker News there is no connection between Quoter and the RTM Locker ransomware executable used in the latest attack.
A key characteristic of threat actors is their ability to operate in the shadows, intentionally avoiding high-profile targets that may draw attention to their activities. As such, CIS countries, morgues, hospitals, COVID-19 vaccine companies, critical infrastructure, law enforcement agencies, and other prominent companies have been banned from entering this group.
“The RTM gang’s goal is to attract as little attention as possible,” said security researcher Max Karsten. “That’s when the rules help them avoid attacking high-value targets.” Affiliate management to reach its goals requires a certain amount of sophistication, although it is not high level per se.”
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
Save my seat!
RTM Locker malware builds are bound by strict obligations that prohibit affiliates from leaking samples. Otherwise, you risk facing a ban. Among other rules laid out is a clause that locks out an affiliate if the affiliate is inactive for her 10 days without prior notice.
“The effort the gang put into avoiding the attention was most unusual,” Kersten explained. Overall, the gang’s specific efforts in this area are higher than typically observed compared to other ransomware groups.”
The locker is suspected to be already running on a network under the attacker’s control, and the system may have been compromised through other means, such as phishing attacks, malspam, or exploiting vulnerable servers exposed to the internet. indicates that there is
Attackers, like other RaaS groups, use extortion techniques to extort payment from victims. The payload is able to elevate privileges, terminate antivirus and backup services, and delete shadow her copies before initiating the encryption procedure.
It is also designed to run shell commands that empty the recycle bin to prevent recovery, change the wallpaper, clear the event log, and as a final step self-delete the locker.
The findings suggest that cybercriminal groups “continue to employ new tactics and methods to help them avoid headlines and escape the scrutiny of researchers and law enforcement.”
