Apr 13, 2023Ravie Lakshmanan
Cybersecurity researchers have detailed the tactics of a
“rising” cybercriminal gang called “Read The Manual” (RTM) Locker
that functions as a private ransomware-as-a-service (RaaS) provider
and carries out opportunistic attacks to generate illicit
profit.
“The ‘Read The Manual’ Locker gang uses affiliates to ransom
victims, all of whom are forced to abide by the gang’s strict
rules,” cybersecurity firm Trellix said in a report[1]
shared with The Hacker News.
“The business-like set up of the group, where affiliates are
required to remain active or notify the gang of their leave, shows
the organizational maturity of the group, as has also been observed
in other groups, such as Conti[2].”
RTM[3], first documented by
ESET in February 2017, started off[4]
in 2015 as a banking malware targeting businesses in Russia via
drive-by downloads, spam, and phishing emails. Attack chains
mounted by the group have since evolved[5]
to deploy a ransomware payload on compromised hosts.
In March 2021, the Russian-speaking group was attributed[6]
to an extortion and blackmail campaign that deployed a trifecta of
threats, including a financial trojan, legitimate remote access
tools, and a ransomware strain called Quoter[7].
Trellix told The Hacker News that there is no relationship
between Quoter and the RTM Locker ransomware executable used in the
latest attacks.
A key trait of the threat actor is its ability to operate under
the shadows by deliberately avoiding high-profile targets that
could draw attention to its activities. To that end, CIS countries,
as well as morgues, hospitals, COVID-19 vaccine-related
corporations, critical infrastructure, law enforcement, and other
prominent companies are off-limits for the group.
“The RTM gang’s goal is to attract as little attention as
possible, which is where the rules help them to avoid hitting
high-value targets,” security researcher Max Kersten said. “Their
management of affiliates to accomplish that goal requires some
level of sophistication, though it’s not a high level per se.”
UPCOMING WEBINAR
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark
web – Join this expert-led webinar!
RTM Locker malware builds are bound by strict mandates that
forbid affiliates from leaking the samples, or else risk facing a
ban. Among the other rules laid out is a clause that locks out
affiliates should they remain inactive for 10 days sans a
notification upfront.
“The effort the gang put into avoiding drawing attention was the
most unusual,” Kersten explained. “The affiliates need to be active
as well, making it harder for researchers to infiltrate the gang.
All in all, the gang’s specific efforts in this area are higher
than normally observed compared to other ransomware groups.”
It’s suspected that the locker is executed on networks that are
already under the adversary’s control, indicating that the systems
may have been compromised by other means, such as phishing attacks,
malspam, or the exploitation of internet-exposed vulnerable
servers.
The threat actor, like other RaaS groups, uses extortion
techniques to compel victims into paying up. The payload, for its
part, is capable of elevating privileges, terminating antivirus and
backup services, and deleting shadow copies before commencing its
encryption procedure.
It’s also designed to empty the Recycle Bin to prevent recovery,
change the wallpaper, wipe event logs, and execute a shell command
that self-deletes the locker as a last step.
The findings suggest that cybercrime groups will continue to
“adopt new tactics and methods to avoid the headlines and help them
fly under the radar of researchers and law enforcement alike,”
Kersten noted.
Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.
References
Read more https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html
