Researchers in cybersecurity have detailed the techniques of a "rising" cybercriminal group known as "Read The Manual" (RTM) Locker, which operates as a private ransomware-as-a-service (RaaS) provider and conducts opportunistic attacks to make illegal profit.
"The 'Read The Manual' Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang's strict rules," cybersecurity firm Trellix said in a report shared with The Hacker News.
"The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti."
Originally identified by ESET in February 2017, RTM began in 2015 as a banking malware targeting Russian businesses using drive-by downloads, spam, and phishing emails. The group's attack chains have since expanded to include the deployment of a ransomware payload on compromised hosts.
The Russian-speaking organization was linked to an extortion and blackmail effort in March 2021 that used a trinity of threats, including genuine remote access tools, a banking trojan, and a ransomware strain known as Quoter. According to Trellix, there is no connection between Quoter and the RTM Locker ransomware executable utilized in the recent attacks.
The capacity of the threat actor to operate in the shadows by avoiding high-profile targets that could draw attention to its actions is a critical characteristic. To that purpose, the group has barred access to CIS countries, as well as mortuaries, hospitals, COVID-19 vaccine-related enterprises, key infrastructure, law enforcement, and other major companies.
"The RTM gang's goal is to attract as little attention as possible, which is where the rules help them to avoid hitting high-value targets," security researcher Max Kersten said. "Their management of affiliates to accomplish that goal requires some level of sophistication, though it's not a high level per se."
RTM Locker malware builds are governed by rigorous guidelines that restrict affiliates from releasing samples or risk being barred. Among the other criteria outlined is a condition that locks off affiliates if they are inactive for 10 days without prior notification.
"The effort the gang put into avoiding drawing attention was the most unusual. The affiliates need to be active as well, making it harder for researchers to infiltrate the gang. All in all, the gang's specific efforts in this area are higher than normally observed compared to other ransomware groups," Kersten explained.
The locker is believed to be executed on networks already in the adversary's control, implying that the systems were hacked in other ways, such as phishing attacks, malspam, or exploiting internet-exposed weak servers. The threat actor, like other RaaS groups, utilizes extortion to get victims to pay. Before beginning its encryption method, the payload can elevate privileges, terminate antivirus and backup services, and delete shadow copies.
It's also intended to empty the Recycle Bin to prevent recovery, alter the wallpaper, clear event logs, and, as a final step, launch a shell command that self-destructs the locker. Cybercrime groups will continue to "adopt new tactics and methods to avoid the headlines and help them fly under the radar of researchers and law enforcement alike," according to Kersten.