
In 2015, a new cybercriminal gang emerged on the scene, targeting businesses in Russia with banking malware via drive-by downloads, spam, and phishing emails. This group, called "Read The Manual" Locker, or RTM, has since evolved their attack tactics to include deploying ransomware payloads on compromised hosts. In March 2021, the Russian-speaking group was attributed to an extortion and blackmail campaign that deployed a trifecta of threats, including legitimate remote access tools, a financial trojan, and a ransomware strain called Quoter. Trellix, a cybersecurity firm, has been tracking the group's activity and released a report detailing their findings. According to the report, RTM Locker functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. The group uses affiliates to ransom victims, all of whom are forced to abide by the gang's strict rules. This business-like set up shows the organizational maturity of the group, as has also been observed in other groups, such as Conti. Trellix told The Hacker News that there is no relationship between Quoter and the RTM Locker ransomware executable used in the latest attacks. However, the firm did note that the latest attack campaign marks a shift in the group's usual modus operandi, as they typically target businesses in Russia, whereas the Quoter campaign appears to be targeting individuals in the US. It's unclear at this time what the motivation behind this change may be. Cybersecurity researchers are constantly working to track the activity of cybercriminal gangs in order to better understand their tactics and help businesses and individuals protect themselves from becoming victims of attacks. groups like RTM Locker are constantly evolving their tactics, so it's important to stay up-to-date on the latest information in order to best defend against them.