View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 27, 2023updated 28 Apr 2023 9:15am

New ransomware gang RTM becomes latest to target Linux with malware

The open-source operating system is being increasingly targeted by cybercriminals wanting to access data stored in the cloud.

By Claudia Glover

New ransomware gang RTM, or Read the Manual, has written malware specifically targeting Linux, researchers have warned. Known as RTM Locker, it also exploits VMware’s ESXi hypervisor. This reflects a growing trend of Linux malware, as more criminals try to access data stored in the cloud through servers running the open-source operating system.

Linux targeted by new ransomware gang RTM. (Photo by Roman Samborskyi/Shutterstock)

The malware is apparently based on leaked source code of Russian ransomware gang Babuk.

RTM sells ransomware targeting Linux

RTM Locker is the first Linux binary created by the gang. It specifically targets ESXi hosts and contains two ESXi commands. These are VMware hypervisor vulnerabilities that have been exploited thousands of times during the ESXiArgs attacks.

The gang, which has so far stayed under the radar, was discovered touting the new Linux bug on the dark web by security company Uptycs. 

The malware is particularly difficult to mitigate against because it uses both asymmetric and symmetric encryption making it impossible to decrypt files without the attacker’s private key, says the Uptycs report.

RTM appears to be trying to remain under the radar, but its exploits caught the eye of another security company, Trellix, earlier this month. 

“Their goal is not to make headlines, but rather to make money while remaining unknown,” the company’s report says. All affiliates are forced to abide by a hyper-organised structure. “The business-like set up of the group where affiliates are required to remain active or notify the gang of their leave, shows their organisational maturity.” This is how notorious RaaS gang Conti would operate, the Trellix research adds.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Increasing trend for Linux malware

This is the second case this week of cybercriminal activity targeting the Linux operating system. Chinese cyber-espionage gang Alloy Taurus was exposed on Wednesday as using a bespoke malware called PingPull that specifically targets Linux.

According to a report by Atlas VPN, this rise began in 2022. “The majority, 854,690, of new Linux malware samples were detected in the first quarter of 2022,” it reads. This corresponds to a decline in malware written for other operating systems, it continues.

“New malware numbers dropped by 39% to 73.7 million in 2022. Android saw the most significant fall in newly programmed malware. New Android malware samples declined by 68%, from 3.4 million in 2021 to 1.1 million in 2022,” it reads. 

This could be due to the increase in cloud storage over the past year, explains Allan Liska, CSIRT at Recorded Future. “A lot of web hosting is done on Linux servers,” he says. “Linux has always been the primary hosting platform because it’s a lot cheaper to run servers on Linux than it is on Windows.”

He adds: “We’re storing more and more data in the cloud and that means that a lot of what we think of as cloud infrastructure is actually being hosted on Linux machines.

“If data is stored in the cloud and that cloud happens to run on Linux servers, you want to be able to get access to those Linux servers to be able to steal the data.”

Read more: Vanuatu is showing small nations how to resist big cyberattacks

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.