
RTM Locker’s First Linux Ransomware Strain Targets NAS and ESXi Hosts
Threats behind RTM locker has developed a type of ransomware capable of targeting Linux machines, marking the group’s first foray into open source operating systems.
“The locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by the leaked source code of the Babuk ransomware,” Uptycs said in a new report. report published Wednesday. “It uses a combination of ecdh on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.”
RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cyber crime group called Read The Manual (RTM) which is known to be active since at least 2015.
The group is notorious for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement and hospitals in order to attract as little attention as possible. It also exploits affiliates to demand ransoms, in addition to leaking stolen data if they refuse to pay.
Linux flavors are specifically geared towards selecting ESXi hosts by stopping all virtual machines running on the compromised host before starting the encryption process. The exact initial infect used to deliver the ransomware is currently unknown.

“It is statically compiled and stripped, making reverse engineering more difficult and allowing the binary to run on more systems,” explains Uptycs. “The encryption function also uses pthreads (aka POSIX thread) to speed up execution.”
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
After successful encryption, victims are urged to contact the support team within 48 hours via Tox or risk their data being published. Decrypting files locked with RTM Locker requires a public key appended to the end of the encrypted file and the attacker’s private key.
The development comes as Microsoft discloses that its vulnerable PaperCut servers are being actively targeted by threat actors to spread the Clop and LockBit ransomware.