"RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts"

The threat actors behind RTM Locker have a new ransomware strain capable of infecting Linux systems. Uptycs stated in a new report that the locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by the leaked source code of the Babuk ransomware. Files are encrypted using a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption). Trellix first documented RTM Locker earlier this month, citing the adversary as a private Ransomware-as-a-Service (RaaS) provider. Read The Manual (RTM), a cybercriminal group active at least since 2015, is its source. The group is known for avoiding high-profile targets, such as critical infrastructure, law enforcement, and hospitals, in order to attract the least amount of attention possible. In addition to using affiliates to extort victims, it leaks stolen information if they refuse to pay. Before starting the encryption process, the Linux variant terminates all virtual machines operating on a compromised host, singling out ESXi hosts. The initial infector used to distribute ransomware is currently unknown. This article continues to discuss researchers' findings and observations regarding RTM Locker's first Linux ransomware strain.

THN reports "RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts"