RTM

Malware updated 8 days ago (2024-11-29T13:37:18.398Z)
Download STIX
Preview STIX
RTM is a malicious software, first reported as the RTM banking Trojan, that was initially detected by vendors such as Symantec and Microsoft in 2017. This malware operates on Windows 7 RTM (7600) and was later updated to a variant known as Redaman. The leaked source code of RTM has been utilized to create new ransomware variants including RTM Locker, Rook, and the self-propagating Rorschach ransomware. These variants have been particularly targeting ESXi servers. RTM Locker, discovered by Uptycs’ Threat Intelligence unit during dark web reconnaissance, encrypts victims' files, appending the ".RTM" extension to their names, and creates a ransom note threatening the publication of stolen data if a ransom isn't paid within 48 hours. Victims are instructed to contact RTM’s “support” via the anonymous messaging platform Tox to initiate negotiations for the ransom payment. However, the initial access vector for RTM Locker remains unknown according to security researchers. Decryption of files locked with RTM Locker appears unlikely due to the use of a combination of asymmetric and symmetric encryption which makes decryption impossible without the private key. Decrypting a file requires both the public key appended to the end of the encrypted file and the attacker's private key. Currently, there are no free decryptors for RTM Locker as the encryption process used is secure and hasn’t been cracked.
Description last updated: 2024-05-04T17:44:38.045Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
RTM Locker is a possible alias for RTM. RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Esxi
Linux
Locker
Malware
RaaS
Encryption
Trojan
Uptycs
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Babuk Malware is associated with RTM. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
4
The Conti Malware is associated with RTM. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
3
Source Document References
Information about the RTM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago