A new ransomware binary targeting Linux systems has been attributed to the ransomware-as-a-service (RaaS) RTM group.
Security researchers at Uptycs shared the findings in an advisory published on Wednesday, saying this is the first time the group had created a Linux binary.
“Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code,” explained the company.
Similarities in the code include methods to generate random numbers. They also share the type of files they encrypt. Finally, both use advanced encryption techniques to make it difficult to recover the encrypted files without the attacker’s private key.
Read more on Babuk here: Yanluowang Ransomware’s Russian Links Laid Bare
“It uses a combination of [...] asymmetric encryption and [...] symmetric encryption to encrypt files.”
The public key, appended as an extension to (Windows) or at the end of (Linux) the encrypted file, is read to decrypt files. The shared secret is obtained with the attacker’s private key, allowing file decryption.
“Use of both asymmetric and symmetric encryption makes it impossible to decrypt the encrypted files without the attacker’s private key,” reads the advisory.
Describing the new malware, Uptycs said it is specifically geared toward ESXi hosts, servers or data storage devices on which VMware ESXi hypervisors have been installed.
Further, Uptycs noted some differences between RTM Locker and Babuk ransomware.
“Babuk differs slightly from RTM Locker by using sosemanuk for asymmetric encryption, while RTM Locker uses ChaCha20.”
Despite the technical analysis of the new binaries, however, the security researchers said the initial access vector for RTM Locker is unknown at the time of writing.
The Uptycs advisory contains YARA rules that can be used by system defenders to scan suspicious processes.
Another ransomware recently evolving to target Linux systems is IceFire, which was recently analyzed by security experts at SentinelOne.