Threat Research

RTM Locker Ransomware as a Service (RaaS) Now on Linux – Uptycs

Securonix

RTM Locker marks the RTM group’s first Linux ransomware binary, targeting Linux, NAS, and ESXi hosts, and appears inspired by Babuk’s leaked source code, using ECDH Curve25519 and ChaCha20 for file encryption. Uptycs provides detection guidance with XDR and YARA rules, highlighting ESXi-targeted behavior and the Babuk connection. #RTMLocker #Babuk #RTMGroup #ESXi #ChaCha20 #Curve25519 #UptycsXDR

Keypoints

  • RTM Locker is the RTM group’s first Linux binary and targets Linux, NAS, and ESXi hosts.
  • It encrypts files using a two-step cryptographic scheme: Elliptic-Curve Diffie-Hellman on Curve25519 for the shared secret, then ChaCha20 for symmetric encryption.
  • The ESXi variant includes two ESXi commands to list and kill running VMs, indicating ESXi-focused behavior.
  • The initial access vector is unknown, and decryption requires the attacker’s private key.
  • The binary is statically compiled and stripped, making reverse engineering harder and increasing cross-system compatibility.
  • RTM Locker shows notable similarities to Babuk ransomware (random number generation, Curve25519 usage, similar Linux file extensions).
  • Uptycs XDR provides detection capabilities with YARA rules specifically for RTM Locker and offers guidance for MITRE-aligned detection.

MITRE Techniques

  • [T1057] Process Discovery – The ransomware uses ESXi commands to enumerate VMs: “esxcli vm process list >> vmlist.tmp.txt” and “esxcli vm process kill -t=force -w”.
  • [T1083] File and Directory Discovery – The program reads the entire system with opendir(3) and uses lstat(2) on file descriptors to decide what to encrypt. “read the entire system using opendir(3), after which it performs lstat(2) on the file descriptor.”
  • [T1027] Obfuscated/Compressed Files or Information – The binary is statically compiled and stripped, making reverse engineering more difficult and enabling broader deployment. “It is statically compiled and stripped, making reverse engineering more difficult…”
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files via a two-step process: “1) Asymmetric encryption is initially used… 2) It then uses ChaCha20 symmetric encryption.” and later notes.appended public keys to encrypted files.

Indicators of Compromise

  • [SHA256] RTM Locker hashes observed – 55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638, b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b, and 1 more hash
  • [Filename] ESXi-related command artifacts – vmlist.tmp.txt and vmlisttmp.txt used during ESXi VM enumeration (and a noted mismatch between read vs written filenames)
  • [Filename] Ransom note and related artifacts – !!! Warning!!! (ransom note filename), and the note text observed in figures
  • [File extension] Encrypted files end with .RTM extension – example: sample.doc.RTM

Read more: https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint