Some cybercriminals behind RTM Locker have developed a strain of ransomware capable of attacking machines running Linux kernel-based operating systems, marking the group’s first attempt at the open source operating system.

Who are RTM Lockers and what kind of ransomware have they created

“In its locker ransomware infects Linux, NAS and ESXi hosts and appears to be inspired by the leaked source code of Babuk ransomware“ said Uptycs in a new relationship released on Wednesday. “Use a combination of ECDH extension on Curve25519 (asymmetric encryption) e Chacha20 (symmetric encryption) to encrypt your files“.

RTM Locker was documented first by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) vendor; has its roots in a cybercrime group called Read The Manual (RTM) that has been active since at least 2015.

The RTM group is known for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement agencies and hospitals to attract as little attention as possible. It also uses affiliates to hold victims for ransom, as well as release stolen data in case victims refuse to pay.

The Linux flavor is specifically designed to select ESXi hosts by terminating all virtual machines running on a compromised host before starting the encryption process. At the moment, the initial infector, in the sense of the file, or in any case the group of files used to spread the ransomware is not known.

“Ransomware is statically compiled and emptied, making it more difficult toreverse engineering and allowing the binary to run on multiple systems,” Uptycs explained. “The encryption function also uses pthreads (also called POSIX threads) to speed up execution”.

After successful encryption, victims are advised to contact the support team within 48 hours via Tox or they risk having their data published. To decrypt a file locked with RTM Locker you need the public key added at the end of the encrypted file and the attacker’s private key.

Development comes when in the meantime Microsoft has revealed that vulnerable PaperCut servers are currently being targeted by cybercriminals to distribute Cl0p and LockBit ransomware.

Concluding

In summary, the discovery of RTM Locker attacking Linux machines represents an alarming step forward for cybercriminals looking to spread the ransomware.

The discovery of threats targeting vulnerable PaperCut servers is also a reminder to businesses around the world of the importance of properly protecting their systems and networks against cyber threats.

The increase in ransomware activity highlights the importance of implementing robust cybersecurity measures to prevent attacks, protect data, and prevent long-term harm to organizations.

Finally, always remember that ransomware is more “inattentiveness” of the user than a real attack, because it means downloading malicious files often sent via deceptive emails or chats: there is no ransomware attack.

Moreover, this series of attacks on Linux Kernel-based operating systems puts an end to the myth of the “invincibility” of Linux systems as information security, as all this is more “mythology” of the fans of these operating systems than effective reality, even a Linux system if “treated” badly can give bad results.