Tag Archive for: lockers

RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts


Apr 27, 2023Ravie LakshmananLinux / Endpoint Security

Linux Ransomware

The threat actors behind RTM Locker have developed a ransomware strain that’s capable of targeting Linux machines, marking the group’s first foray into the open source operating system.

“Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code,” Uptycs said in a new report published Wednesday. “It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.”

RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that’s known to be active since at least 2015.

The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliates to ransom victims, in addition to leaking stolen data should they refuse to pay up.

The Linux flavor is specifically geared to single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process. The exact initial infector employed to deliver the ransomware is currently unknown.

NAS and ESXi Hosts

“It is statically compiled and stripped, making reverse engineering more difficult and allowing the binary to run on more systems,” Uptycs explained. “The encryption function also uses pthreads (aka POSIX threads) to speed up execution.”

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Following successful encryption, victims are urged to contact the support team within 48 hours via Tox or risk getting their data published. Decrypting a file locked with RTM Locker requires the public key appended to the end of the encrypted file and the attacker’s private key.

The development comes as Microsoft revealed that vulnerable PaperCut servers are being actively targeted by threat…

Source…

Hacker opens 2,732 PickPoint package lockers across Moscow


PickPoint

Image via PickPoint

A mysterious hacker used a cyber-attack to force-open the doors of 2,732 package delivery lockers across Moscow.

The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg.

Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address.

Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app.

However, the same system that allows users to open lockers and retrieve their packages was attacked on Friday.

Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint’s lockers, leaving thousands of packages exposed to theft across Moscow.

The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities.

The Russian company said it is currently working to restore its network, which has been damaged during the attack.

It also remains unclear if packages were stolen from lockers. According to social media posts, guards and landlords were quick to intervene on Friday and restrict access to the obviously malfunctioning lockers.

As the…

Source…