Threat Research

Read The Manual Locker: A Private RaaS Provider

Securonix

RTM Locker operates as a ransomware-as-a-service with affiliates under strict governance, aiming to stay under the radar and monetize rather than seek headlines. The article provides a technical deep dive into their Windows ransomware, including panel operations, encryption workflow, and anti-analysis/defense-evasion techniques. #RTMLocker #ReadTheManual #RaaS #TOR

Keypoints

  • The RTM Locker gang uses a professional, affiliate-based model with rules that require affiliates to stay active or notify the group of departures.
  • The group excludes high-profile targets and CIS-region victims, and communicates in Russian and English, suggesting geographic considerations and “under the radar” operations.
  • Affiliates add victims in a private panel, set data-release timers, and negotiations occur off the main channels to avoid researcher visibility.
  • The panel enforces discipline (e.g., inactivity bans) and forbids sample redistribution or public chats, indicating mature governance.”
  • The ransomware uses private builds, has a self-delete mechanism, and relies on TOR for negotiations and data handling.
  • Technical analysis shows multi-threaded encryption using IOCP, volume mounting, random extensions, and explicit anti-analysis/defense-evasion measures (process/activity and log/file cleanup).

MITRE Techniques

  • [T1134] Access Token Manipulation – Create Process with Token – “A User Account Control dialog pops up. If the victim approves the execution, the new process instance is launched with the requested administrative permissions.”
  • [T1082] System Information Discovery – GetSystemInfo is used to tailor the attack; “The number of processors is used multiple times… to create IOCP threads and encryption threads.”
  • [T1057] Process Discovery – The locker iterates over running processes and terminates selected ones; “The pseudo code shows the iteration over all the running processes, and the stopping of selected processes.”
  • [T1562.001] Impair Defenses: Disable or Stop Security Tools – The locker terminates processes and stops services; “The targeted services are responsible for anti-virus protection and back-ups.”
  • [T1070.001] Clear Windows Event Logs – Logs are wiped after encryption; “wipes the System, Application, and Security logs from the machine.”
  • [T1070.004] File Deletion – Self-destruction after execution; “Self destruction” via a shell command to delete the locker.
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files on the disk; “encrypts as much files as possible.”
  • [T1106] Native API – The ransomware uses the WinAPI directly; “Uses the WinAPI directly.”

Indicators of Compromise

  • [Hash] – Sample hashes for RTM Locker sample: c41a2ddf8c768d887b5eca283bbf8ea812a5f2a849f07c879808845af07409ed, eaad989098815cc44e3bcb21167c7ada72c585fc
  • [IP] Localhost ping used in self-delete sequence – 127.0.0.1
  • [URL] Onion-based negotiation/login service – http://nvfutdbq3ubteaxj4m2jyihov5aa4akfudsj5h7vhyrvfarfra26ksyd.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect

Read more: https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html