The “Read The Manual” (RTM) Locker group has been observed targeting corporate environments with ransomware and forcing their affiliates to follow a strict set of rules.
According to an advisory published on Thursday by Trellix cybersecurity experts, the businesslike approach of the group (also observed in other threat actors, such as Conti) shows its organizational maturity.
Read more on Conti here: “Alarming” Surge in Conti Group Activity This Year
The company recently analyzed the latest version of the RTM Locker group’s panel, which provides a look into their rules, targets and tactics.
“The panel’s login page requires a username and password combination, along with a captcha code to prevent brute force login attempts by other actors and researchers alike,” wrote malware analyst Max Kersten. “Within the panel, affiliates can add ransomed victims.”
This tactic, which Trellix has seen before, is devised to enable RTM Locker to try and extort victims twice: first by encrypting files, and second by naming and shaming their victims by publishing stolen and exfiltrated data.
“The gang’s modus operandi is focused on a single goal: to fly below the radar. Their goal is not to make headlines but rather to make money while remaining unknown,” Kersten added.
“The affiliates need to remain active, or their account will be removed. Any affiliate who is inactive for ten days without providing a notification upfront will be locked out of the panel.”
To this end, associates are explicitly warned not to target vital infrastructure, law enforcement and other major corporations, as they would garner unwanted attention. Further, communication with the group must go through the TOX messenger, and linking any negotiation chat publicly is prohibited and will cause the affiliate to be banned.
“The group’s notifications are posted in Russian and English, where the former is of better quality,” reads the Trellix advisory. “Based on that, it isn’t surprising that the Commonwealth of Independent States in the Eastern Europe and Asia (CIS) region is off-limits.” Attacks against morgues, hospitals and COVID-19 vaccine-related corporations are also prohibited.
Kersten also explained that, based on RTM Locker’s tactics, its attacks are likely opportunity based.
“The rules define a clear scope as to what is a potential target, allowing affiliates to operate as they see fit. The gang’s primary objective seems to make money, rather than a political motive.”
However, according to Erich Kron, security awareness advocate at KnowBe4, it is likely that most of these attacks begin with a simple phishing email.
“For organizations to defend themselves, wisdom dictates that educating employees on how to spot and report phishing emails, having robust and tested backups in place, and having well-tuned data loss prevention controls can go a long way toward minimizing the impact that these potential threats have on organizations,” Kron added.
In February, an international police operation led to the dismantling of a criminal network responsible for millions of dollars in business email compromise (BEC) losses.