Cybersecurity researchers have detailed the tactics of a “rising” cybercriminal gang called “Read The Manual” (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit.
“The ‘Read The Manual’ Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang’s strict rules,” cybersecurity firm Trellix said in a report shared with The Hacker News.
“The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti.”
RTM, first documented by ESET in February 2017, started off in 2015 as a banking malware targeting businesses in Russia via drive-by downloads, spam, and phishing emails. Attack chains mounted by the group have since evolved to deploy a ransomware payload on compromised hosts.
In March 2021, the Russian-speaking group was attributed to an extortion and blackmail campaign that deployed a trifecta of threats, including a financial trojan, legitimate remote access tools, and a ransomware strain called Quoter.
Trellix told The Hacker News that there is no relationship between Quoter and the RTM Locker ransomware executable used in the latest attacks.
A key trait of the threat actor is its ability to operate under the shadows by deliberately avoiding high-profile targets that could draw attention to its activities. To that end, CIS countries, as well as morgues, hospitals, COVID-19 vaccine-related corporations, critical infrastructure, law enforcement, and other prominent companies are off-limits for the group.
“The RTM gang’s goal is to attract as little attention as possible, which is where the rules help them to avoid hitting high-value targets,” security researcher Max Kersten said. “Their management of affiliates to accomplish that goal requires some level of sophistication, though it’s not a high level per se.”
RTM Locker malware builds are bound by strict mandates that forbid affiliates from leaking the samples, or else risk facing a ban. Among the other rules laid out is a clause that locks out affiliates should they remain inactive for 10 days sans a notification upfront.
“The effort the gang put into avoiding drawing attention was the most unusual,” Kersten explained. “The affiliates need to be active as well, making it harder for researchers to infiltrate the gang. All in all, the gang’s specific efforts in this area are higher than normally observed compared to other ransomware groups.”
It’s suspected that the locker is executed on networks that are already under the adversary’s control, indicating that the systems may have been compromised by other means, such as phishing attacks, malspam, or the exploitation of internet-exposed vulnerable servers.
The threat actor, like other RaaS groups, uses extortion techniques to compel victims into paying up. The payload, for its part, is capable of elevating privileges, terminating antivirus and backup services, and deleting shadow copies before commencing its encryption procedure.
It’s also designed to empty the Recycle Bin to prevent recovery, change the wallpaper, wipe event logs, and execute a shell command that self-deletes the locker as a last step.
The findings suggest that cybercrime groups will continue to “adopt new tactics and methods to avoid the headlines and help them fly under the radar of researchers and law enforcement alike,” Kersten noted.