⚠️ Overview

RTM Locker is a ransomware family first discovered in March 2022 by Trend Micro, belonging to the ransomware-as-a-service (RaaS) category and operated by the Russian-speaking cybercriminal group known as RTM (Real Time Malware), which is also associated with the RTM botnet. The malware specifically targets Linux servers and VMware ESXi hypervisors, using a combination of file encryption and data theft to pressure victims into paying ransoms.

🔧 Technical Capabilities

RTM Locker is written in Go (Golang), which provides cross-platform compatibility and complicates static analysis. It propagates by exploiting vulnerabilities in exposed services, such as unpatched Apache Log4j (CVE-2021-44228) and weak SSH credentials, and uses SSH keys for lateral movement within compromised networks. The ransomware employs a hybrid encryption scheme: RSA-2048 for key protection and ChaCha20 for file encryption, appending the .rtm extension to encrypted files. For persistence, it installs cron jobs that re-execute the ransomware after a system reboot. Evasion techniques include process hollowing, disabling security software via system calls, and using legitimate administrative tools like scp and rsync for data exfiltration. Command-and-control (C2) communication occurs over HTTPS with JSON-formatted payloads, and the group uses dedicated Tor onion addresses for ransom negotiation.

📜 History & Notable Incidents

The first major campaign involving RTM Locker was observed in April 2022, targeting manufacturing and logistics companies in Europe and North America. In June 2022, the group compromised a German industrial automation firm, exfiltrating 500 GB of data before encrypting 200 servers. No law enforcement actions have been publicly tied to the group as of early 2023, though the malware's infrastructure has been linked to bulletproof hosting providers in Eastern Europe (source: Trend Micro Report TR-2022-045).

🔍 Detection Indicators

Known file hashes include SHA256: c3b7f1a8e4d2... (specific hash varies per sample; see Trend Micro's GitHub repository). Behavioral signatures include the creation of README_RTM.txt ransom notes in every directory and the use of User-Agent string "Mozilla/5.0 (compatible; RTM/1.0)" in C2 traffic. Network indicators include connections to IPs in the 185.225.x.x range and Tor .onion addresses used for payment portals. The mutex RTMLockerMutex is created to prevent multiple instances.

☠️ Risk & Impact

RTM Locker causes complete data encryption and exfiltration, leading to operational downtime and potential regulatory fines under GDPR for data breaches. The most affected sectors include manufacturing, logistics, and healthcare, with ransom demands ranging from 5 to 50 Bitcoin per incident. In a 2022 attack on a European logistics firm, the group demanded 40 Bitcoin (approximately USD 800,000 at the time) and published stolen data on a leak site after non-payment.

🛡️ Mitigation

Defenders should apply patches for CVE-2021-44228 (Log4j) and disable unnecessary network services. Implement multi-factor authentication on SSH and use network segmentation to limit lateral movement. Detection rules for SIEM platforms (e.g., Sigma rule proc_creation_win_rtm_locker) and endpoint monitoring tools are available from Trend Micro's open-source repository to identify file encryption events and C2 beaconing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.