Trellix reports on emerging cybercriminal gang “Read The Manual” Locker
Trellix, a cybersecurity firm, has provided detailed information on the modus operandi of a new cybercriminal gang called the “Read The Manual” Locker. The group offers ransomware-as-a-service (RaaS) to a network of affiliates who must comply with strict rules imposed by the gang. Their tactics, techniques, and procedures were explained in the report.
The gang aims to avoid attention and not make headlines, instead focusing on making money while remaining anonymous. They post their notifications in both English and Russian, with the latter being of higher quality. The Commonwealth of Independent States in Eastern Europe and Asia (CIS) region is off-limits for them to avoid creating victims in that area.
The report revealed that the group’s panel offers an insight into their rules, targets, and modus operandi. Based on the available information, researchers could make some estimated guesses regarding the geographic locations of some of the members.
The gang’s panel is accessed by a username and password combination and a captcha code to prevent brute force login attempts by other actors and researchers. Affiliates can add ransomed victims, aligning the group’s methods with the current standard behavior of ransomware gangs.
The ransom note informs victims that their network has been infected with the RTM Locker ransomware and that their files, including personal documents, photos, customer and employee data, and databases, have been encrypted and are inaccessible. The note warns that if victims do not contact the support team within 48 hours, their data will be published in the public domain, and compromised data will be sent to their competitors and regulatory authorities. The note advises victims not to attempt to recover the files themselves or modify encrypted files, as doing so may result in permanent data loss.
The ransomware does not use an exploit to get administrator capabilities; instead, it just starts itself with the necessary permissions, resulting in a User Account Control dialog box. If the victim agrees to the execution, a new process instance with the necessary administrator permissions is established, and the existing locker instance is terminated. If the victim refuses the prompt, the locker will continue to ask for it until the permissions are given.
To more effectively cripple the targeted system, the RTM Locker encrypts as many data as possible and checks if it has administrator permissions on the built-in system domain to guarantee the appropriate permissions are gained, granting uncontrolled access to the device.
The RTM Locker lacks symbols, but the renamed functions and variables within the analysis are provided throughout the analysis. The locker’s main function examines the command-line inputs and sets the console output to “-debug,” allowing the locker to print debug info. The next screenshot depicts the command-line parameter check and the call to the function that sets the console output.
The locker’s next step is to guarantee that it has the greatest possible impact by terminating programs that can either block a file or are employed for malicious file analysis. These include sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, and notepad.exe.
It then stops all services present within an embedded list. The targeted services are responsible for anti-virus protection and backups, and they include vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup, YooIT, zhudongfangyu, stc_raw_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, ArcSch2Svc, AcronisAgent, CASAD2DWebSvc, and CAARCUpdateSvc.
The ransomware is currently not obfuscated, making it easier to identify and mitigate. However, its ability to terminate selected processes and services can cause significant damage to the targeted system.
The sources for this piece include an article in SecurityAffairs.