RTM Locker ransomware-as-a-service operators have now turned their attention to Linux, network-attached storage devices and ESXi hosts.
Since 2015, the RTM cybercrime group has been involved in financial fraud, using a custom-made banking trojan to steal money from their targets.
The Linux version of RTM Locker ransomware
RTM Locker and Babuk ransomware share commonalities, such as ECDH Curve25519 for asymmetric encryption and random number generation.
However, Babuk uses sosemanuk, while RTM Locker uses ChaCha20 for asymmetric encryption, which differentiates the two.
Upon initial inspection of the ransomware binary, it became apparent that the program was tailored towards ESXi due to two ESXi commands at the beginning of the code.
Following this trend, ransomware operations have developed Linux encryptors tailored to targeting ESXi servers, which can comprehensively encrypt all enterprise data.
The encryptor will initially try to encrypt all VMware ESXi virtual machines by first compiling a list of active VMs using the command: esxcli vm process list >> vmlist.tmp.txt
Next, it terminates all the running virtual machines using the command: esxcli vm process kill -t=force -w
After all the VMs are terminated, the encryptor begins to encrypt files with the following extensions:
- .log (log files);
- .vmdk (virtual disks);
- .vmem (virtual machine memory);
- .vswp (swap files);
- .vmsn (VM snapshots).
RTM extension to the files’ names and after that creates a ransom note on the infected system, threatening the victim to contact RTM’s support within 48 hours via Tox to negotiate a ransom payment, or the stolen data will be published.