December 1, 2023

Researchers have spotted a new ransomware binary targeting Linux system has been attributed to the ransomware-as-a-service RTM group.

RTM Locker malware is specifically geared toward ESXi hosts, as it has two related commands. Its first access vector stays unknown. Both asymmetric and symmetric encryption make it impossible to decrypt files without the attacker’s private key.

Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code. It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.


Similarities in the code include methods to generate random numbers. They also share the type of files they encrypt. Finally, both use advanced encryption techniques to make it difficult to recover the encrypted files without the attacker’s private key.

The public key, appended as an extension to (Windows) or at the end of (Linux) the encrypted file, is read to decrypt files. The shared secret is obtained with the attacker’s private key, allowing file decryption.

Despite the technical analysis of the new binaries, however, the security researchers said the initial access vector for RTM Locker is unknown.

The two ESXi commands are:

  • “esxcli vm process list >> vmlist.tmp.txt” – This command lists all the ESXi VMs currently running on the system.
  • “esxcli vm process kill -t=force -w” – This command kills all the ESXi VMs that were found by the previous command

Both Linux versions encrypt files using the .log,  .vmdk, .vmem, .vswp, and  .vmsn file extensions

Indicators of Compromise

  • 55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638
  • b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b
  • d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0

Leave a Reply

%d bloggers like this: