Cybersecurity researchers have detailed the tactics of a “rising” cybercriminal gang called “Read The Manual” (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. The group started off in 2015 as a banking malware targeting businesses in Russia via drive-by downloads, spam, and phishing emails. Attack chains mounted by the group have since evolved to deploy a ransomware payload on compromised hosts. RTM Locker malware builds are bound by strict mandates that forbid affiliates from leaking the samples, or else risk facing a ban. The payload is capable of elevating privileges, terminating antivirus and backup services, and deleting shadow copies before commencing its encryption procedure. It’s also designed to empty the Recycle Bin to prevent recovery, change the wallpaper, wipe event logs, and execute a shell command that self-deletes the locker as a last step.
In conclusion, the Read The Manual Locker gang is a rising cybercriminal group that is using ransomware-as-a-service (RaaS) to generate illicit profit. The group started off as a banking malware targeting businesses in Russia, but its attack chains have since evolved to deploy a ransomware payload on compromised hosts. The group is known for its strict rules that forbid affiliates from leaking the samples, and its payload is capable of wiping event logs, changing the wallpaper, and executing a shell command that self-deletes the locker as a last step. Key points:
• Read The Manual (RTM) Locker is a “rising” cybercriminal group that operates as a private ransomware-as-a-service (RaaS) provider.
• The group started off in 2015 as a banking malware targeting businesses in Russia.
• Attack chains mounted by the group have since evolved to deploy a ransomware payload on compromised hosts.
• RTM Locker malware builds are bound by strict mandates that forbid affiliates from leaking the samples.
• The payload is capable of elevating privileges, terminating antivirus and backup services, and deleting shadow copies before commencing its encryption procedure.
• It is also designed to empty the Recycle Bin to prevent recovery, change the wallpaper, and wipe event logs.