RTM Locker

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk group in September 2021. The leak led to the creation of numerous new variants throughout 2023, including ESXiArgs, Rorschach, and RTM Locker, as well as the RA Group. The Linux variant of RTM Locker, along with other ransomware groups such as Royal, Black Basta, LockBit, Qilin, ESXiArgs, Monti, and Akira, are known for directly targeting victims' VMware ESXi servers. These groups steal and encrypt files, subsequently demanding substantial ransoms. Notably, Uptycs has observed some differences between RTM Locker and its parent Babuk ransomware, despite their shared origins. The source code leaks of both Paradise and Babuk in mid-2021 have underpinned the emergence of several new ransomware families, including MortalKombat, RA Group, RTM Locker, ESXiArgs, and Chaos 4. Newcomers like RA Group, Rorschach, and RTM Locker also utilize the leaked Babuk source code. The latest variant of RTM Locker, which specifically targets Linux, NAS, and virtual machines on VMware ESXi hosts, underscores the ongoing threat and evolution of these ransomware attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Babuk
4
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
RTM
4
RTM is a malicious software, first reported as the RTM banking Trojan, that was initially detected by vendors such as Symantec and Microsoft in 2017. This malware operates on Windows 7 RTM (7600) and was later updated to a variant known as Redaman. The leaked source code of RTM has been utilized to
Rorschach
2
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
Rook
2
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
Esxiargs
1
The ESXiArgs campaign was a significant cybersecurity event where an unknown ransomware group targeted VMware ESXi environments. The attackers exploited CVE-2021-21974, a vulnerability that was two years old at the time of the attacks. The campaign involved several ransomware groups such as Royal, B
Bablock
1
BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data h
Mortalkombat
1
MortalKombat is a new ransomware family that was discovered by Talos earlier this year. It was generated by the leaked Xorist ransomware builder, a type of malware that has been in existence since 2016. MortalKombat has been used by an unidentified threat actor since December 2022 to target individu
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Esxi
Encryption
Locker
Malware
Linux
Extortion
Reconnaissance
Ransom
Encrypt
Esxiargs
Cybercrime
RaaS
Vmware
Uptycs
Trellix
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RaptureUnspecified
2
Rapture is a prominent malware that has emerged as a significant threat in the cybersecurity landscape. It appears to have adapted and evolved from the Paradise crypto-locker source code, which leaked in mid-2021. Further enhancements were made using the Babuk source code that was leaked later the s
ContiUnspecified
2
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
AkiraUnspecified
1
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Rorschach RansomwareUnspecified
1
The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appea
MontiUnspecified
1
The Monti group, a malicious cyber entity, has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. The group is known for its malware, Monti, which is a particularly harmful program designed to exploit and damage computer systems. It infiltrates systems thr
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QilinUnspecified
1
Qilin, a notable threat actor in the cybersecurity landscape, has been significantly active over the last two years, compromising more than 150 organizations across 25 countries and various industries. Originally evolving from the Agenda ransomware written in Go, Qilin has since transitioned to Rust
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RTM Locker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
VMware confirms critical vCenter flaw now exploited in attacks
Securityaffairs
6 months ago
Decryptor for Tortilla variant of Babuk ransomware released
CERT-EU
a year ago
Why Criminals Keep Reusing Leaked Ransomware Builders
BankInfoSecurity
a year ago
Why Criminals Keep Reusing Leaked Ransomware Builders
CERT-EU
a year ago
Cyber Security Today, August 9, 2023 – The latest ransomware news, and more | IT World Canada News
CERT-EU
a year ago
Code leaks are causing an influx of new ransomware actors
BankInfoSecurity
a year ago
New Entrants to Ransomware Unleash Frankenstein Malware
CERT-EU
a year ago
The Good, the Bad and the Ugly in Cybersecurity – Week 17 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
BankInfoSecurity
a year ago
RTM Locker RaaS Group Turns to Linux, NAS and ESXi Hosts
Securityaffairs
a year ago
Researchers found the first Linux variant of the RTM locker
InfoSecurity-magazine
a year ago
RTM Locker Ransomware Targets Linux Architecture
CERT-EU
a year ago
RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts
CERT-EU
a year ago
RTM Locker Ransomware Attacks Linux, NAS, and ESXi Servers | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
a year ago
RTM Locker Ransomware Gang Targets VMware ESXi Servers
DARKReading
a year ago
Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs
CERT-EU
a year ago
Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems
CERT-EU
a year ago
Ransomware Group Claims Attack on Constellation Software
BankInfoSecurity
a year ago
RA Group Using Babuk Ransomware Source Code in Fresh Attacks
CERT-EU
a year ago
RA ransomware gang attacks four companies in less than a month | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
a year ago
Linux version of RTM Locker ransomware targets VMware ESXi servers – Cyber Security Review