New ransomware gang RTM, or Read the Manual, has written malware specifically targeting Linux, researchers have warned. Known as RTM Locker, it also exploits VMware’s ESXi hypervisor. This reflects a growing trend of Linux malware, as more criminals try to access data stored in the cloud through servers running the open-source operating system.
The malware is apparently based on leaked source code of Russian ransomware gang Babuk.
RTM sells ransomware targeting Linux
RTM Locker is the first Linux binary created by the gang. It specifically targets ESXi hosts and contains two ESXi commands. These are VMware hypervisor vulnerabilities that have been exploited thousands of times during the ESXiArgs attacks.
The gang, which has so far stayed under the radar, was discovered touting the new Linux bug on the dark web by security company Uptycs.
The malware is particularly difficult to mitigate against because it uses both asymmetric and symmetric encryption making it impossible to decrypt files without the attacker’s private key, says the Uptycs report.
RTM appears to be trying to remain under the radar, but its exploits caught the eye of another security company, Trellix, earlier this month.
“Their goal is not to make headlines, but rather to make money while remaining unknown,” the company’s report says. All affiliates are forced to abide by a hyper-organised structure. “The business-like set up of the group where affiliates are required to remain active or notify the gang of their leave, shows their organisational maturity.” This is how notorious RaaS gang Conti would operate, the Trellix research adds.
Increasing trend for Linux malware
This is the second case this week of cybercriminal activity targeting the Linux operating system. Chinese cyber-espionage gang Alloy Taurus was exposed on Wednesday as using a bespoke malware called PingPull that specifically targets Linux.
According to a report by Atlas VPN, this rise began in 2022. “The majority, 854,690, of new Linux malware samples were detected in the first quarter of 2022,” it reads. This corresponds to a decline in malware written for other operating systems, it continues.
“New malware numbers dropped by 39% to 73.7 million in 2022. Android saw the most significant fall in newly programmed malware. New Android malware samples declined by 68%, from 3.4 million in 2021 to 1.1 million in 2022,” it reads.
This could be due to the increase in cloud storage over the past year, explains Allan Liska, CSIRT at Recorded Future. “A lot of web hosting is done on Linux servers,” he says. “Linux has always been the primary hosting platform because it’s a lot cheaper to run servers on Linux than it is on Windows.”
He adds: “We’re storing more and more data in the cloud and that means that a lot of what we think of as cloud infrastructure is actually being hosted on Linux machines.
“If data is stored in the cloud and that cloud happens to run on Linux servers, you want to be able to get access to those Linux servers to be able to steal the data.”