RTM Locker Ransomware Targets Linux Architecture

A new ransomware binary targeting Linux systems has been attributed to the ransomware-as-a-service (RaaS) RTM team.

Security scientists at Uptycs shared the results in an advisory published on Wednesday, indicating this is the initially time the group experienced developed a Linux binary.

“Its locker ransomware infects Linux, NAS, and ESXi hosts and seems to be encouraged by Babuk ransomware’s leaked supply code,” explained the organization.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Similarities in the code include things like solutions to crank out random quantities. They also share the type of files they encrypt. Ultimately, the two use sophisticated encryption methods to make it difficult to recover the encrypted information without the attacker’s non-public vital.

Go through a lot more on Babuk here: Yanluowang Ransomware’s Russian Inbound links Laid Bare

“It uses a blend of […] asymmetric encryption and […] symmetric encryption to encrypt files.”

The general public vital, appended as an extension to (Windows) or at the end of (Linux) the encrypted file, is study to decrypt data files. The shared key is received with the attacker’s non-public important, making it possible for file decryption.

“Use of both asymmetric and symmetric encryption would make it impossible to decrypt the encrypted information without the attacker’s private essential,” reads the advisory.

Describing the new malware, Uptycs claimed it is precisely geared towards ESXi hosts, servers or information storage equipment on which VMware ESXi hypervisors have been installed.

Further, Uptycs observed some discrepancies amongst RTM Locker and Babuk ransomware.

“Babuk differs somewhat from RTM Locker by using sosemanuk for uneven encryption, though RTM Locker works by using ChaCha20.”

Irrespective of the complex evaluation of the new binaries, nevertheless, the security researchers claimed the preliminary accessibility vector for RTM Locker is not known at the time of producing.

The Uptycs advisory contains YARA regulations that can be employed by procedure defenders to scan suspicious processes.

Another ransomware a short while ago evolving to concentrate on Linux techniques is IceFire, which was just lately analyzed by security experts at SentinelOne.