RTM

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
RTM is a malicious software, first reported as the RTM banking Trojan, that was initially detected by vendors such as Symantec and Microsoft in 2017. This malware operates on Windows 7 RTM (7600) and was later updated to a variant known as Redaman. The leaked source code of RTM has been utilized to create new ransomware variants including RTM Locker, Rook, and the self-propagating Rorschach ransomware. These variants have been particularly targeting ESXi servers. RTM Locker, discovered by Uptycs’ Threat Intelligence unit during dark web reconnaissance, encrypts victims' files, appending the ".RTM" extension to their names, and creates a ransom note threatening the publication of stolen data if a ransom isn't paid within 48 hours. Victims are instructed to contact RTM’s “support” via the anonymous messaging platform Tox to initiate negotiations for the ransom payment. However, the initial access vector for RTM Locker remains unknown according to security researchers. Decryption of files locked with RTM Locker appears unlikely due to the use of a combination of asymmetric and symmetric encryption which makes decryption impossible without the private key. Decrypting a file requires both the public key appended to the end of the encrypted file and the attacker's private key. Currently, there are no free decryptors for RTM Locker as the encryption process used is secure and hasn’t been cracked.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
RTM Locker
4
RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
Redaman
1
Redaman, first reported as the RTM banking Trojan in 2015, is a sophisticated malware that primarily targets users conducting transactions with Russian financial institutions. Major cybersecurity vendors such as Symantec and Microsoft identified an updated version of this malicious software in 2017.
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Linux
Locker
Esxi
Malware
RaaS
Encryption
Uptycs
Trojan
Trellix
Windows
Fraud
Banking
Vmware
Ransom
Extortion
Reconnaissance
Cybercrime
Eset
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BabukUnspecified
4
Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, often leading to significant disruptions in operations. A notable instance of Babuk's destructive capabilities occurred on December 7th, when a printing company fell prey to the ransomware. The
ContiUnspecified
3
Conti is a type of malware, specifically ransomware, which was designed to infiltrate systems, disrupt operations, and potentially hold data hostage for ransom. The malware has been used by various threat actors, including ITG23, who have utilized it alongside other malicious software such as Trickb
Locker RansomwareUnspecified
1
Locker ransomware, a type of malware, poses significant risks to computer systems and data. Unlike crypto-ransomware which encrypts user data, locker ransomware locks users out of their devices entirely, demanding a ransom payment to restore access without any data encryption. This threat has evolve
REvilUnspecified
1
REvil, also known as Sodinokibi, is a type of malware that gained notoriety through its use in ransomware attacks. As the Ransomware as a Service (RaaS) model grew in popularity during 2020, relationships between first-stage malware and subsequent ransomware attacks were established. One such connec
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RTM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
2023年5月勒索软件流行态势分析 - 360CERT
CERT-EU
a year ago
Matthieu Faou | WeLiveSecurity
MITRE
a year ago
Russian Language Malspam Pushing Redaman Banking Malware
MITRE
a year ago
GitHub - hfiref0x/UACME: Defeating Windows User Account Control
CERT-EU
a year ago
Эксперт назвал способ решить проблему кибератак в России
CERT-EU
a year ago
России предрекли новую волну утечек данных
CERT-EU
a year ago
CISO – Forum 2023 совсем скоро!
CERT-EU
a year ago
Nouvelle enquête du centre de recherche ARC de Trellix sur le ransomware RTM Locker | UnderNews
InfoSecurity-magazine
a year ago
RTM Locker Gang Targets Corporate Environments with Ransomware
CERT-EU
a year ago
Read The Manual Locker ransomware operation on the rise
CERT-EU
a year ago
勒索软件即服务提供商:RTM Locker - FreeBuf网络安全行业门户
CERT-EU
a year ago
RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts
InfoSecurity-magazine
a year ago
RTM Locker Ransomware Targets Linux Architecture
Securityaffairs
a year ago
Researchers found the first Linux variant of the RTM locker
CERT-EU
a year ago
RTM Locker Ransomware Gang Targets VMware ESXi Servers
CERT-EU
a year ago
Linux version of RTM Locker ransomware targets VMware ESXi servers – Cyber Security Review
CERT-EU
a year ago
RTM Locker Ransomware Attacks Linux, NAS, and ESXi Servers | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
a year ago
The Good, the Bad and the Ugly in Cybersecurity – Week 17 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
a year ago
Cyber Security Today, Week in Review for the week ending Friday, April 28, 2023 | IT World Canada News
BankInfoSecurity
a year ago
RTM Locker RaaS Group Turns to Linux, NAS and ESXi Hosts