A new RaaS provider group
has surfaced on the threat landscape, named Read The Manual (RTM)
Locker. It follows the typical affiliate-based model, however, with a
twist. It forces its affiliates to follow strict business-like rules,
including leave notifications and minimal activity within a certain
duration, failing to which their accounts may be locked or removed.
What does RTM Locker offer?
According to a report by Trellix, RTM Locker is a typical RaaS offering, which provides a web panel to its affiliates to manage their attack campaigns. The panel provides details about the rules, targets, and suggested attack methods.
- It further allows the affiliates to add their victims, extort them, and track the campaigns via a data-release-timer function.
- Affiliates
are provided with the ransomware payload to elevate privileges, delete
shadow copies, and terminate antivirus and backup services before
starting data encryption.
- The
panel changes the wallpaper of the targeted machine, deletes event logs
and Recycle Bin contents, and ultimately, runs a shell script that
self-deletes the locker.
Avoiding attention of law enforcement
RTM Locker’s is trying its best to stay under the radar and avoid attention from law enforcement agencies and security researchers. - To
avoid any attention, affiliates are urged to avoid attacks on
hospitals, morgues, and COVID-19 vaccine-related corporations. There is a
further distinction about categories of hospitals to avoid. For
instance, a dentist’s office is considered a valid target.
- Attacks
on vital infrastructure, law enforcement agencies, and other major
corporations are also mentioned in its exclusion list. If that happens,
affiliates are forced to remove all traces of this malware and negotiate
with the victims on a separate platform.
- Further, attacks on CIS countries are not allowed by malware operators.
Additional business-like rules
In addition to its
primary motive of avoiding attention, RTM Locker operators have laid
down an additional set of professional rules for affiliates to follow.
- Affiliates
are required to stay active or provide a prior notification for their
absence for a longer period. Inactivity for 10 days without any prior
notice may get them locked out of their affiliate portal.
- RTM
Locker website is accessible only via the TOR network, and linking it
with any publicly available chat software for negotiation is prohibited.
- Outsourcing the job further, or redistributing the RTM Locker code is also prohibited by the operators.
Ending notes
RTM Locker is highly
focused on staying away from the attention of security agencies. Strict
rules would ensure that only dedicated adversaries are attracted to this
malware. Moreover, the self-destructive nature of RTM Locker and the
wipeout of logs make it a tough game to crack for security
professionals.