A new ransomware binary targeting Linux systems has been attributed to the Ransomware as a Service (RaaS) RTM group.
Security researchers at Uptycs shared their findings in an advisory published Wednesday, saying it was the first time the group had created a Linux binary.
“The locker ransomware infects Linux, NAS and ESXi hosts and appears to have been inspired by the leaked source code of the Babuk ransomware,” the company explains.
Code similarities include methods to generate random numbers. Also, share the file types you want to encrypt. Finally, both use advanced encryption techniques to make it difficult to restore encrypted files without the attacker’s private key.
Learn more about Babuk here: Yanluowang ransomware Russian link exposed
“Use a combination of […] asymmetric encryption and […] Symmetric encryption for encrypting files. “
A public key appended to the extension (Windows) or the end (Linux) of an encrypted file is read to decrypt the file. The attacker’s private key is used to obtain the shared secret, allowing file decryption.
“Both asymmetric and symmetric encryption make it impossible to decrypt encrypted files without the attacker’s private key,” the advisory reads.
Uptycs says the new malware specifically targets ESXi hosts, servers, or data storage devices with the VMware ESXi hypervisor installed.
Additionally, Uptycs noted some differences between RTM Locker and Babuk ransomware.
“Babuk differs slightly from RTM Locker in that it uses sosemanuk for asymmetric encryption, but RTM Locker uses ChaCha20.”
However, despite technical analysis of the new binary, security researchers have stated that RTM Locker’s initial access vector is unknown at the time of writing.
The Uptycs advisory contains a YARA rule that system defenders can use to scan for suspicious processes.
Another ransomware that has recently evolved to target Linux systems is IceFire, which was recently analyzed by security experts at SentinelOne.
