Read The Manual (RTM) is a Russian-language ransomware group operating as a Ransomware as a Service (RaaS) that we became acquainted with as early as 2015 when the first samples of banking trojans were analyzed. However, in the interview, we will discover that the group had formed many years earlier. In its early days, its main targets were users and companies in predominantly Russian “remote banking systems,” targeted through targeted malspam campaigns.
Over the years, like many other groups, RTM has undergone a transformation, “evolving” from a banking trojan to a ransomware group. Despite this “upgrade” of its criminal profile, it has always tried to maintain a “low profile,” which has allowed it, until now, to avoid attracting too much attention from law enforcement. Today, RTM is one of the most long-standing cybercriminal groups.
In early 2023, RTM implemented a new ransomware code to target VMware ESXi/NAS platforms, allowing for a significant advancement in capabilities. For data encryption, symmetric (ChaCha20) and asymmetric (ECDH Elliptic Curve Diffie-Hellman on Curve25519) algorithms are used.
Like most ransomware groups, RTM also has its own website within Tor networks where it negotiates ransom payments with its victims, although it primarily uses the TOX chat to communicate with affiliates, researchers, and journalists as it considers it the safest means. TOX is an open-source project aimed at providing a secure and decentralized alternative for instant messaging applications.
The interview we conducted was carried out through RTM’s TOX channel; SuspectFile.com thanks the ransomware group for answering all our questions and for the willingness they have shown.
Note: We posed the questions in English, and RTM provided us with a document containing the questions and answers in Russian, which we translated.
SuspectFile.com – RTM Ransomware was first reported about 4 years ago, can you confirm that RTM was created in 2015? Your group was primarily created to target financial institutions. What motivated you to target various objectives?
RTM – We are a rather old group, formed around 2007-2008, RTM is one of our projects, it started in 2014. Our motivation has always been money. Money is an integral part of our lives, and the more there is, the better. Another significant motivation is expanding knowledge and experience in network security control.
SuspectFile.com – Can you confirm that RTM originated as a banking trojan and then evolved into ransomware? Did you integrate the software into ransomware?
RTM – It cannot be said that RTM grew from a banking trojan to ransomware; it is completely separate software, one of the branches of our group.
SuspectFile.com – Approximately how many victims have been affected by your actions?
RTM – We cannot disclose specific numbers of our victims for security reasons; we can briefly say that there are many.
SuspectFile.com – Is it true that since the end of 2022 your group has developed its own software for VMware ESXi/NAS systems, particularly for ESXi hosts installed on Linux servers?
RTM – Regarding the software on VMware ESXi/NAS, it was created along with the Windows version but was only distributed to a restricted group of people; we have also modified the software multiple times, based on third-party source codes. Currently, the software is still supported, and the code is regularly updated.
SuspectFile.com – We managed to examine some of your ransom demands, where you inform the victim of the procedure allowing them to access your negotiation chat. Besides your TOX channel, can victims negotiate through other channels? Do you have a blog listing the names of your victims?
RTM – Currently, the preferred communication form is TOX, as we consider it safer than a web administration panel on a server (we also have an administration panel). We have a blog where we publish data about our victims, but as practice shows, this too is becoming a thing of the past. When we study and analyze these companies, we focus on violations of the laws of the country in which the company is registered, as well as on confidential documents and financial information. We pay a lot of attention to competitors of these companies who might be interested in this data and often contact them. In case of non-payment, we transmit relevant data to competitors, and in case of violations, the data is sent to the competent departments, and employees are informed that their data has been compromised. The methods and strategies of our work are individually chosen for our goal; there is no universal solution for our actions.
SuspectFile.com – In 2022, we witnessed the formation of dozens of new ransomware groups, many of which disappeared within a few months. Some industry analysts and journalists argue that the ransomware phenomenon will decrease in 2022; we disagreed with this assertion and were proven right. In the first six months of 2023, this phenomenon not only intensified but the most affected sectors remained the same, such as healthcare and education. Are there entities that RTM Ransomware will never target, or is it just a matter of business for you, as for many other groups?
RTM – In the long run, locker-type malware as a source of income will naturally decrease; it’s inevitable. But just as protection methods, laws, etc. evolve, so will partnership programs, and their strategies will be modified. These are the concepts of defense and hacking; they always follow each other. We will not see partnership programs in the same form as they existed in 2022; in five years, they will be different. The intensification of ransomware programs is the result of large ransoms, as well as the media coverage of this topic. These factors push people to consider cooperation with partners. This topic is highly publicized. If a person has been previously involved in managing their own bot and reads some news articles or articles about networks and partnership programs, they will seek an opportunity to earn with RaaS. Also, a person far from the Internet, after reading a couple of loud news and working in a big company where, in their opinion, they are not appreciated/not paid enough/in conflict with management, etc., will look for a way to earn with RaaS. As for companies we will never target, this applies to nursing homes because we have great respect for the elderly, funeral homes, and hospitals. However, everything is always very individual.
SuspectFile.com – Some analyses conducted on ransomware samples show that the code author took care not to attack any CSI objects. Do you consider yourselves a politically affiliated group?
RTM – We are not a political group; we are far from politics, it simply doesn’t interest us. In our team, there is no division by countries, nations, or racial membership, only business, only business relationships!
SuspectFile.com – We know that RTM Ransomware is a closed affiliate group (RaaS) and you have serious conduct rules that your partners must obey. Has anyone from your team ever taken a stance, as has happened with other groups?
RTM – Strict rules don’t arise out of thin air; they are due to security concerns. Partners who want to work with us must understand this; these are very serious aspects upon which everyone’s security depends. Only their strict adherence allows us to work until today.
SuspectFile.com – Very little is known about your group, also because for many years you preferred to behave “moderately,” even though it allowed you to avoid “police attention.” The flip side is that perhaps this choice has prevented you from being considered a reliable group.
RTM – We adhere to the belief that less publicity is better. Attention in our work is undesirable. We simply set goals and work to achieve them; fame, etc., is secondary, almost a byproduct. If there’s a way to make things proceed quietly, we’ll make every effort to keep our actions in the shadows.
SuspectFile.com – In the recent past, you had serious server problems due to the war between Russia and Ukraine, and you had to incur significant expenses to recover the data. Is it correct to assume that these expenses were borne by your affiliates? Furthermore, is it correct to assume that the damage was caused by an internal source within your group?
RTM – It’s no secret that our group is composed of people from various countries, including individuals from Ukraine. At that time, due to these events, we partially suffered losses, but we quickly recovered. We are apolitical (unlike some partners at the time); it’s not our field of activity. We have different objectives, motivations, and vectors of development.
SuspectFile.com – Analysis conducted on a sample shows that you use a rarely used and non-traditional method when your code prepares to receive permissions in the victim’s systems. You don’t use any exploits, but the team uses a standard UAC authorization request, which is reproduced indefinitely if the user refuses to execute the command. How confident are you that the victim doesn’t become suspicious and take corrective actions before the infection begins?
RTM – The software is the final phase of the work done. At this point, the following aspects have already been completed:
1. Selection and analysis of targets
2. Penetration and security audit
3. Analysis of network construction and structure
4. Obtaining necessary permissions for further actions
5. Data download and analysis
6. Encryption
As seen from these points, the victim is not involved; they don’t make any decisions and become aware of what happened only after completing the previous steps. Then they have time to decide what to do next.
SuspectFile.com –After encrypting the file, you add an image to the desktop background. It depicts the face of Anonymous. Does your choice have a specific reason?
RTM – In principle, desktop backgrounds are purely informational. The Anonymous mask is associated with the dark web by a large number of people, so we used it.
SuspectFile.com – The question we ask every group we interview concerns the relationship of the ransomware group with its affiliates. SuspectFile.com has read hundreds of commercial chats from different groups. In some cases, communication problems arose during negotiations. The victim requested concrete evidence of data leakage and file trees, but the operator couldn’t respond because all the data was in the hands of the affiliate who hit the victim. Don’t you think such situations could undermine trust in the ransomware group?
RTM – Perhaps these groups lack experience. When we work with a target during negotiations, we can freely provide proof of the obtained data and even perform a test decryption of 1-2 files. Regarding the weakening of trust, I don’t believe so. If the target is already in negotiations, it means that all the actions we described earlier have already been completed. Usually, these questions are asked by companies wanting to clarify if documents or valuable data have fallen into the hands of the group, for further decisions like price reduction or refusal of further negotiations. If a company sees .rtm in its network, it can be assured that all its data is already with us and that their analysis has been conducted.
SuspectFile.com – In the recent past, some well-known ransomware groups disbanded for various reasons, including total disagreement with some “guidelines” imposed by the group’s leadership. Was RTM Ransomware also born from the dissolution of other groups, or did you, like many others, as partners, decide that it was time to work for yourselves?
RTM – We are not a fragment of any previously created group; our team formed a long time ago. There are no disagreements within our team regarding opinions.
SuspectFile.com – Do you also think, like other groups, that a cybersecurity company, on which businesses rely as a “negotiator,” will eventually secretly reach an agreement with a ransomware group? Has it ever happened to you?
RTM – It depends on what you mean. During negotiations, we can’t be 100% sure that the person on the other side of the monitor is directly a manager, a decision-maker, a negotiator, or a law enforcement agent. There have been cases where company employees have tried to negotiate secretly with management. Regarding the release of the decryption software, we provide it both in chat and via email to the company executives, thus excluding the possibility of negotiations without the victim’s management knowing. It should be clear that for us, payment equals decryption and deletion of data from our servers, and who and how tries to negotiate with us behind the scenes is a secondary concern.
SuspectFile.com – In fact, most companies in any sector invest little or nothing in cybersecurity. But beyond that, what are the main shortcomings that companies should address, considering that often (also in your case) underprepared personnel inadvertently open the main door of corporate information systems (such as through phishing emails)?
RTM – The biggest problem for companies is often skimping on security, thinking it won’t affect them. These issues need to be taken seriously, and people working in network security within the company should be adequately compensated. Training should also be provided to all employees who have access to networked computers, ensuring each employee has a basic understanding of how to work with PCs and minimum security practices. Additionally, timely software updates are crucial. There’s a saying: ‘The most dangerous virus is the user.’ IT work aspects like personal relationships, a person’s interest in a particular product, and hobbies are also important. All these concepts and basic work principles can be covered in a 2-hour course, significantly reducing the risk of the company falling victim to cybercriminals.
SuspectFile.com – What do you think about the release of the LockBit code and the increasing number of new groups emerging following this data leak? These groups are often formed by very young individuals with no knowledge of cybersecurity.
RTM – Young ransomware groups are always formed by relatively young and “hungry” individuals. Typically, based on existing source code, they adapt the product to their needs. They see the dark rotation of ransomware groups in the media, forums, etc., and also try to profit from it. Like any illegal activity that yields high profits in a short time, it always attracts significant attention. Drug dealing, for example, and the laws enacted by many countries are quite severe and, in some countries, lethal, but this doesn’t make this sector less attractive. The same can be said for arms dealing and prostitution. All these areas have one thing in common: minimal time investment and high margins. Therefore, there will always be people willing to engage in them, and there are many.
LockBit is a rather interesting group with a large number of users in its affiliate program. At the moment, it can be considered an old and established group on the dark web, and its existence at this moment is a matter of time. Even if the leaders of this team say everything is fine for them. It’s no secret that they are being hunted. Security and preservation of earned capital are top priorities for any group, so the community will only become aware of the decision made at the last moment.
SuspectFile.com – What reasons (if any) other than money and your skills have led you to choose this path in your life?
RTM – The times we live in.