A new RaaS provider group has surfaced on the threat landscape, named Read The Manual (RTM) Locker. It follows the typical affiliate-based model, however, with a twist. It forces its affiliates to follow strict business-like rules, including leave notifications and minimal activity within a certain duration, failing to which their accounts may be locked or removed.
What does RTM Locker offer?
According to a report by Trellix, RTM Locker is a typical RaaS offering, which provides a web panel to its affiliates to manage their attack campaigns.
The panel provides details about the rules, targets, and suggested attack methods.
- It further allows the affiliates to add their victims, extort them, and track the campaigns via a data-release-timer function.
- Affiliates are provided with the ransomware payload to elevate privileges, delete shadow copies, and terminate antivirus and backup services before starting data encryption.
- The panel changes the wallpaper of the targeted machine, deletes event logs and Recycle Bin contents, and ultimately, runs a shell script that self-deletes the locker.
Avoiding attention of law enforcement
RTM Locker’s is trying its best to stay under the radar and avoid attention from law enforcement agencies and security researchers.
- To avoid any attention, affiliates are urged to avoid attacks on hospitals, morgues, and COVID-19 vaccine-related corporations. There is a further distinction about categories of hospitals to avoid. For instance, a dentist’s office is considered a valid target.
- Attacks on vital infrastructure, law enforcement agencies, and other major corporations are also mentioned in its exclusion list. If that happens, affiliates are forced to remove all traces of this malware and negotiate with the victims on a separate platform.
- Further, attacks on CIS countries are not allowed by malware operators.
Additional business-like rules
In addition to its primary motive of avoiding attention, RTM Locker operators have laid down an additional set of professional rules for affiliates to follow.
- Affiliates are required to stay active or provide a prior notification for their absence for a longer period. Inactivity for 10 days without any prior notice may get them locked out of their affiliate portal.
- RTM Locker website is accessible only via the TOR network, and linking it with any publicly available chat software for negotiation is prohibited.
- Outsourcing the job further, or redistributing the RTM Locker code is also prohibited by the operators.
Ending notes
RTM Locker is highly focused on staying away from the attention of security agencies. Strict rules would ensure that only dedicated adversaries are attracted to this malware. Moreover, the self-destructive nature of RTM Locker and the wipeout of logs make it a tough game to crack for security professionals.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0826_shutterstock_1124941190.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_87781027.jpg)
