December 11, 2023

Researchers have spotted a new RaaS provider group named Read The Manual (RTM) Locker. A typical affiliate-based model that forces its affiliates to follow strict rules, including leave notifications and minimal activity within a certain duration, failing to which their accounts may be locked or removed.

RTM Locker is a typical RaaS offering, which provides a web panel to its affiliates to manage their attack campaigns. The panel provides details about the rules, targets, and suggested attack methods.  

  • It further allows the affiliates to add their victims, extort them, and track the campaigns via a data-release-timer function.
  • Affiliates are provided with the ransomware payload to elevate privileges, delete shadow copies, and terminate antivirus and backup services before starting data encryption.
  • The panel changes the wallpaper of the targeted machine, deletes event logs and Recycle Bin contents, and ultimately, runs a shell script that self-deletes the locker.

To avoid detection, affiliates are urged to avoid attacks on hospitals, morgues, and COVID-19 vaccine-related firms. Attacks on vital infrastructure, law enforcement agencies, and other major corporations are also mentioned in its exclusion list. If attacked, affiliates are forced to remove all traces of this malware and negotiate with the victims on a separate platform.

RTM Locker operators have laid down an additional set of professional rules for affiliates to follow.

  • Affiliates are required to stay active or provide a prior notification for their absence for a longer period.
  • Inactivity for 10 days without any prior notice may get them locked out of their affiliate portal.
  • RTM Locker website is accessible only via the TOR network, and linking it with any publicly available chat software for negotiation is prohibited.
  • Outsourcing the job further, or redistributing the RTM Locker code is also prohibited by the operators.

RTM Locker is highly focused on staying away from the attention of security agencies. Strict rules would ensure that only dedicated adversaries are attracted to this malware.


The self-destructive nature of RTM Locker and the wipeout of logs make it a tough game to crack for security professionals.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.