The “Read The Manual” (RTM) Locker gang is a ransomware-as-a-service (RaaS) provider targeting corporate environments with strict rules for their affiliates. The gang’s main goal is to fly under the radar and make money while remaining unknown. They post notifications in Russian and English, with the former being of better quality.
- Their panel provides insight into their rules, targets, and way of working. The affiliates are required to remain active or notify the gang of their leave, ensuring the gang’s organizational maturity.
- The gang’s modus operandi is to extort their victims twice, by encrypting files and publishing stolen data. They avoid CIS countries, morgues, hospitals, and COVID-19 vaccine-related corporations.
- Technical analysis of their Windows ransomware executable shows that the locker does not utilize an exploit to obtain elevated permissions, instead, it launches itself with the required permissions.
- The locker also terminates processes and services which can block files or are used during the analysis of malicious files, and it empties the recycle bin and deletes shadow copies before starting the encryption process.
