RTM Locker

Malware updated 7 months ago (2024-05-04T18:18:04.847Z)

Download STIX

Preview STIX

RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk group in September 2021. The leak led to the creation of numerous new variants throughout 2023, including ESXiArgs, Rorschach, and RTM Locker, as well as the RA Group. The Linux variant of RTM Locker, along with other ransomware groups such as Royal, Black Basta, LockBit, Qilin, ESXiArgs, Monti, and Akira, are known for directly targeting victims' VMware ESXi servers. These groups steal and encrypt files, subsequently demanding substantial ransoms. Notably, Uptycs has observed some differences between RTM Locker and its parent Babuk ransomware, despite their shared origins. The source code leaks of both Paradise and Babuk in mid-2021 have underpinned the emergence of several new ransomware families, including MortalKombat, RA Group, RTM Locker, ESXiArgs, and Chaos 4. Newcomers like RA Group, Rorschach, and RTM Locker also utilize the leaked Babuk source code. The latest variant of RTM Locker, which specifically targets Linux, NAS, and virtual machines on VMware ESXi hosts, underscores the ongoing threat and evolution of these ransomware attacks.

Description last updated: 2024-05-04T17:44:39.367Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
RTM is a possible alias for RTM Locker. RTM is a malicious software, first reported as the RTM banking Trojan, that was initially detected by vendors such as Symantec and Microsoft in 2017. This malware operates on Windows 7 RTM (7600) and was later updated to a variant known as Redaman. The leaked source code of RTM has been utilized to	4
Babuk is a possible alias for RTM Locker. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatio	4
Rorschach is a possible alias for RTM Locker. Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe	2
Rook is a possible alias for RTM Locker. Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Esxi

Ransomware

Encryption

Malware

Linux

Locker

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Rapture Malware is associated with RTM Locker. Rapture is a prominent malware that has emerged as a significant threat in the cybersecurity landscape. It appears to have adapted and evolved from the Paradise crypto-locker source code, which leaked in mid-2021. Further enhancements were made using the Babuk source code that was leaked later the s	Unspecified	2
The Conti Malware is associated with RTM Locker. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	2

Source Document References

Information about the RTM Locker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	VMware confirms critical vCenter flaw now exploited in attacks
Securityaffairs	10 months ago	Decryptor for Tortilla variant of Babuk ransomware released
CERT-EU	a year ago	Why Criminals Keep Reusing Leaked Ransomware Builders
BankInfoSecurity	a year ago	Why Criminals Keep Reusing Leaked Ransomware Builders
CERT-EU	a year ago	Cyber Security Today, August 9, 2023 – The latest ransomware news, and more \| IT World Canada News
CERT-EU	a year ago	Code leaks are causing an influx of new ransomware actors
BankInfoSecurity	a year ago	New Entrants to Ransomware Unleash Frankenstein Malware
CERT-EU	2 years ago	The Good, the Bad and the Ugly in Cybersecurity – Week 17 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
BankInfoSecurity	2 years ago	RTM Locker RaaS Group Turns to Linux, NAS and ESXi Hosts
Securityaffairs	2 years ago	Researchers found the first Linux variant of the RTM locker
InfoSecurity-magazine	2 years ago	RTM Locker Ransomware Targets Linux Architecture
CERT-EU	2 years ago	RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts
CERT-EU	2 years ago	RTM Locker Ransomware Attacks Linux, NAS, and ESXi Servers \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	RTM Locker Ransomware Gang Targets VMware ESXi Servers
DARKReading	2 years ago	Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs
CERT-EU	2 years ago	Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems
CERT-EU	2 years ago	Ransomware Group Claims Attack on Constellation Software
BankInfoSecurity	2 years ago	RA Group Using Babuk Ransomware Source Code in Fresh Attacks
CERT-EU	2 years ago	RA ransomware gang attacks four companies in less than a month \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	2 years ago	Linux version of RTM Locker ransomware targets VMware ESXi servers – Cyber Security Review