RTM

Malware updated 7 months ago (2024-05-04T18:48:09.375Z)

Download STIX

Preview STIX

RTM is a malicious software, first reported as the RTM banking Trojan, that was initially detected by vendors such as Symantec and Microsoft in 2017. This malware operates on Windows 7 RTM (7600) and was later updated to a variant known as Redaman. The leaked source code of RTM has been utilized to create new ransomware variants including RTM Locker, Rook, and the self-propagating Rorschach ransomware. These variants have been particularly targeting ESXi servers. RTM Locker, discovered by Uptycs’ Threat Intelligence unit during dark web reconnaissance, encrypts victims' files, appending the ".RTM" extension to their names, and creates a ransom note threatening the publication of stolen data if a ransom isn't paid within 48 hours. Victims are instructed to contact RTM’s “support” via the anonymous messaging platform Tox to initiate negotiations for the ransom payment. However, the initial access vector for RTM Locker remains unknown according to security researchers. Decryption of files locked with RTM Locker appears unlikely due to the use of a combination of asymmetric and symmetric encryption which makes decryption impossible without the private key. Decrypting a file requires both the public key appended to the end of the encrypted file and the attacker's private key. Currently, there are no free decryptors for RTM Locker as the encryption process used is secure and hasn’t been cracked.

Description last updated: 2024-05-04T17:44:38.045Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
RTM Locker is a possible alias for RTM. RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Esxi

Linux

Locker

Malware

RaaS

Encryption

Trojan

Uptycs

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Babuk Malware is associated with RTM. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatio	Unspecified	4
The Conti Malware is associated with RTM. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	3

Source Document References

Information about the RTM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	2023年5月勒索软件流行态势分析 - 360CERT
CERT-EU	a year ago	Matthieu Faou \| WeLiveSecurity
MITRE	2 years ago	Russian Language Malspam Pushing Redaman Banking Malware
MITRE	2 years ago	GitHub - hfiref0x/UACME: Defeating Windows User Account Control
CERT-EU	2 years ago	Эксперт назвал способ решить проблему кибератак в России
CERT-EU	2 years ago	России предрекли новую волну утечек данных
CERT-EU	2 years ago	CISO – Forum 2023 совсем скоро!
CERT-EU	2 years ago	Nouvelle enquête du centre de recherche ARC de Trellix sur le ransomware RTM Locker \| UnderNews
InfoSecurity-magazine	2 years ago	RTM Locker Gang Targets Corporate Environments with Ransomware
CERT-EU	2 years ago	Read The Manual Locker ransomware operation on the rise
CERT-EU	2 years ago	勒索软件即服务提供商：RTM Locker - FreeBuf网络安全行业门户
CERT-EU	2 years ago	RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts
InfoSecurity-magazine	2 years ago	RTM Locker Ransomware Targets Linux Architecture
Securityaffairs	2 years ago	Researchers found the first Linux variant of the RTM locker
CERT-EU	2 years ago	RTM Locker Ransomware Gang Targets VMware ESXi Servers
CERT-EU	2 years ago	Linux version of RTM Locker ransomware targets VMware ESXi servers – Cyber Security Review
CERT-EU	2 years ago	RTM Locker Ransomware Attacks Linux, NAS, and ESXi Servers \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	The Good, the Bad and the Ugly in Cybersecurity – Week 17 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	2 years ago	Cyber Security Today, Week in Review for the week ending Friday, April 28, 2023 \| IT World Canada News
BankInfoSecurity	2 years ago	RTM Locker RaaS Group Turns to Linux, NAS and ESXi Hosts