The “Read The Manual” (RTM) Locker group has been observed using ransomware to target corporate environments and force affiliates to follow a strict set of rules.
The group’s businesslike approach (also seen by other threat actors such as Conti) shows the maturity of its organization, according to an advisory released Thursday by cybersecurity experts at Trellix.
Learn more about Conti here.
The company recently analyzed the latest version of the panel from the RTM Locker group. In this panel you can see the rules, targets and tactics.
“The panel’s login page requires a username/password combination and a captcha code to prevent other attackers or researchers from brute-force login attempts,” writes Malware Analyst Max Kersten. . “Within the panel, affiliates can add ransom victims.”
This tactic, previously identified by Trellix, was devised to allow RTM Locker to attempt to extort victims twice. First, it encrypts files and then exposes stolen or exfiltrated data to name and humiliate the victim.
“Gang’s action mode It focuses on one goal – to fly under the radar. Their goal is not to make headlines, but to make money without being known,” he added Kersten.
“Affiliates must remain active or their accounts will be deleted. Affiliates who are inactive for 10 days without prior notice will be barred from the panel.”
To this end, Associates are expressly warned not to target critical infrastructure, law enforcement, and other large corporations. Additionally, communication with the group must go through his TOX messenger, publicly linking bargaining chats is prohibited, and affiliates are prohibited.
“The group notices are posted in Russian and English, but the former is of better quality,” Trellix’s recommendation reads. “On that basis, it is not surprising that the Commonwealth of Independent States in the Eastern Europe and Asia (CIS) region is off-limits.” Attacks on morgues, hospitals and COVID-19 vaccine companies are also banned. increase.
Kersten also explained that based on RTM Locker’s tactics, its attacks are likely opportunity-based.
“The rules define clear boundaries for potential targets and allow affiliates to operate in any way they see fit.
However, according to KnowBe4 security awareness advocate Erich Kron, most of these attacks likely start with a simple phishing email.
“Organizations can protect themselves by educating employees on how to spot and report phishing emails, having robust and tested backups, and having well-tuned data loss prevention controls in place. It is known to go a long way in minimizing the impact of these potential threats, which depend on the organization,” added Kron.
In February, an international police operation dismantled a criminal network responsible for millions of dollars in business email compromise (BEC) losses.
