RTM Locker Ransomware Variant Targeting ESXi Servers

RTM Locker Ransomware Variant Targeting ESXi Servers

RTM Locker ransomware-as-a-service operators have now turned their attention to Linux, network-attached storage devices and ESXi hosts.

Since 2015, the RTM cybercrime group has been involved in financial fraud, using a custom-made banking trojan to steal money from their targets.

The Linux version of RTM Locker ransomware

RTM Locker and Babuk ransomware share commonalities, such as ECDH Curve25519 for asymmetric encryption and random number generation. 

However, Babuk uses sosemanuk, while RTM Locker uses ChaCha20 for asymmetric encryption, which differentiates the two.

Upon initial inspection of the ransomware binary, it became apparent that the program was tailored towards ESXi due to two ESXi commands at the beginning of the code.

Following this trend, ransomware operations have developed Linux encryptors tailored to targeting ESXi servers, which can comprehensively encrypt all enterprise data.

The encryptor will initially try to encrypt all VMware ESXi virtual machines by first compiling a list of active VMs using the command: esxcli vm process list >> vmlist.tmp.txt

Next, it terminates all the running virtual machines using the command: esxcli vm process kill -t=force -w

After all the VMs are terminated, the encryptor begins to encrypt files with the following extensions:

  • .log (log files);
  • .vmdk (virtual disks);
  • .vmem (virtual machine memory);
  • .vswp (swap files);
  • .vmsn (VM snapshots).

RTM extension to the files’ names and after that creates a ransom note on the infected system, threatening the victim to contact RTM’s support within 48 hours via Tox to negotiate a ransom payment, or the stolen data will be published.

IOCS

SHA256
55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638
b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b
d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!