{
	"id": "8b552c57-d6ed-46b7-8960-ef3619da996a",
	"created_at": "2026-04-10T03:20:23.022877Z",
	"updated_at": "2026-04-10T13:12:53.049285Z",
	"deleted_at": null,
	"sha1_hash": "86774c52a5bc411058226958a399fbcfd464e30b",
	"title": "RTM Locker ransomware targets VMware ESXi servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110368,
	"plain_text": "RTM Locker ransomware targets VMware ESXi servers\r\nArchived: 2026-04-10 02:53:45 UTC\r\nTarget Industry\r\nIndiscriminate, opportunistic targeting.\r\nOverview\r\nThe threat actor group, tracked as Read The Manual (RTM) Locker, has been detected targeting virtual machines\r\non VMware ESXi servers via the deployment of a Linux encryptor. Analysis of the associated malware indicates\r\nthat the encryptor has been crafted specifically for targeting VMware ESXi systems due to the linked commands\r\nused to manage virtual machines.\r\nImpact\r\nSuccessful exploitation by RTM Locker ransomware will result in the encryption and exfiltration of significant\r\namounts of data held on the compromised device or system before a ransom of a predetermined amount is issued.\r\nThe ransom fee demanded will almost certainly depend on the estimated value of the compromised organisation.\r\nEncrypted data may include private customer data, corporate finance data and system credentials. The double\r\nextortion strategy employed by the group will almost certainly result in all stolen data being published to dark web\r\nforums, where there is a realistic possibility that stolen data will be used for initial compromise in future attacks.\r\nIncident Detection\r\nThe encryptor appends the “.RTM” file extension to the encrypted file names. Ransom notes are then created with\r\nthe name, “!!! Warning !!!” on the target system.\r\nAffected Products\r\nVMware ESXi servers\r\nContainment, Mitigations \u0026 Remediations\r\nTo mitigate against ransomware attacks, technical controls should be explored. These controls could encompass\r\nthe enforcement of multi-factor authentication (MFA) for all users, conditional access policies and web proxies\r\nfiltering on low- or non-reputation domains.\r\nA primary method of reducing the threat posed by RTM ransomware is to detect it in the early stages using an\r\neffective and monitored endpoint detection and response (EDR) solution. An effective EDR tool, such as the\r\nMicrosoft Defender suite, will block ransomware attempts once detected.\r\nhttps://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 1 of 4\n\nOrganisations can also perform routine back-ups of sensitive data that is required for business operations and to\r\nkeep a copy offline in case back-ups are impacted by the attack. Therefore, if a breach occurs and the business can\r\nno longer function, a back-up is ready to use, and the business can continue to operate with minimal disruption.\r\nHowever, this does not nullify the fact that customer and employee data may have also been lost, and potentially\r\nreleased because the Clop ransomware group operates via double or triple extortion.\r\nIndicators of Compromise\r\nRTM associated file hashes (SHA1):\r\n– f4c746696b0f5bb565d445ec49dd912993de6361\r\n– 025c718ba31e43db1b87dc13f94a61a9338c11ce\r\n– 03de8622be6b2f75a364a275995c3411626c4d9f\r\n– 094ac3c414a9e6028afa5cdc0d4b4f3aa98b92ca\r\n– 1e4b84be1e4287c9787cd56009e1e2adb3348db8\r\n– 42a4b04446a20993ddae98b2be6d5a797376d4b6\r\n– 6cf45111b2d71862803cf91f2a79780149c46a27\r\n– 6f036c802384826b630aec70d9833b5b0ed735eb\r\n– 8966319882494077c21f66a8354e2cbca0370464\r\n– 9ac461ef9848367f46bf64649d46de955c4afc66\r\n– af862050a01972db36589653dc8b155e2b3e2f8c\r\n– b1ee562e1f69efc6fba58b88753be7d0b3e4cfab\r\n– c6e3aa123a52762bf2690b97cc79148eedd0e1e0\r\n– daa0673cb1d3eb7dbe8aa435997ecd9e1da228fd\r\n– df1a4c99791570a2d203075581a6aeef59ece02b\r\n– f89e56dd9ca78cec02d0a2b95803843c59234082\r\n– fca3d02a53e66d8975997ff2b03c8008a254a508\r\n– 00fe6cf9c85821a2a2479083acb538ee49c8c141\r\n– 2f6fd3b5a7611d72f9f9eb60b04471f9bebc738f\r\n– 471a8fd0aa32ce61cf5e4ebece95527d1b234de6\r\nRTM associated domains:\r\n– micro4n[.]top\r\n– vpntap[.]top\r\n– vpnkeep[.]bit\r\n– vpnomnet[.]bit\r\n– webstatisticaonline[.]tech\r\n– cainmoon[.]net\r\n– cash-money-analitica[.]bit\r\n– d47ea26b7faa[.]bit\r\n– fde05d0573da[.]bit\r\n– feb96eb2aa59[.]bit\r\n– money-cash-analitica[.]bit\r\nhttps://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 2 of 4\n\n– rtm[.]dev\r\n– ssdcool[.]top\r\nRTM associated IP addresses:\r\n– 185[.]141[.]27[.]249\r\n– 185[.]82[.]216[.]14\r\n– 188[.]138[.]71[.]117\r\n– 158[.]255[.]208[.]197\r\n– 185[.]169[.]229[.]42\r\n– 185[.]61[.]149[.]78\r\n– 5[.]154[.]191[.]57\r\n– 91[.]207[.]7[.]69\r\n– 95[.]183[.]52[.]182\r\n– 109[.]236[.]82[.]150\r\n– 109[.]248[.]32[.]152\r\n– 131[.]72[.]138[.]169\r\n– 154[.]70[.]153[.]125\r\n– 158[.]255[.]6[.]150\r\n– 185[.]128[.]42[.]237\r\n– 185[.]61[.]149[.]70\r\n– 185[.]82[.]201[.]45\r\n– 200[.]74[.]240[.]134\r\n– 212[.]48[.]90[.]155\r\n– 213[.]184[.]127[.]137\r\nThreat Landscape\r\nIt was recently reported by Trellix that RTM Locker had launched a new Ransomware-as-a-Service (RaaS)\r\noperation and had started recruiting affiliates, including those from the former Conti cybercrime syndicate. At the\r\ntime of the initial reporting, only a Windows ransomware encryptor had been discovered. However, RTM has now\r\nexpanded its mode of operation to target VMware ESXi servers.\r\nVMware has a significant proportion of the virtualisation market. Given that threat actors generally utilise a\r\ncombination of probability and asset value to determine which attack surfaces to focus on, VMware products have\r\nbecome a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of\r\nboth personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the\r\nassociated devices in an attempt to extract the sensitive information contained therein.\r\nThreat Group\r\nThe RTM cybercrime group has been observed to target remote banking systems, primarily in Russia. The group\r\nuses drive-by downloads and spam with attachments of fake contracts, invoices or tax forms to deliver a custom\r\nmalware (RTM Banking Trojan) that targets accounting software and is used for the purposes of financial gain.\r\nhttps://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 3 of 4\n\nFurther, the group operates within the confines of a RaaS model, whereby other threat actors are recruited to\r\nbecome affiliates. This indicates that the group is associated with a high level of sophistication and organisation\r\nand, as such, should be considered as a significant threat.\r\nMitre Methodologies\r\nExecution Technique:\r\nT1106 – Native API\r\nPrivilege Escalation Technique:\r\nT1134.002 – Access Token Manipulation: Create Process with Token\r\nDefense Evasion Techniques:\r\nT1070.001– Indicator Removal: Clear Windows Event Logs\r\nT1070.004 – Indicator Removal: File Deletion\r\nT1134.002 – Access Token Manipulation: Create Process with Token\r\nDiscovery Technique:\r\nT1057 – Process Discovery\r\nCollection Technique:\r\nT1005 – Data from Local System\r\nImpact Techniques:\r\nT1486 – Data Encrypted for Impact\r\nT1489 – Service Stop\r\nFurther Information\r\nTrellix Report\r\nSource: https://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/\r\nhttps://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/"
	],
	"report_names": [
		"rtm-locker-ransomware-targets-vmware-esxi-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775791223,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86774c52a5bc411058226958a399fbcfd464e30b.pdf",
		"text": "https://archive.orkl.eu/86774c52a5bc411058226958a399fbcfd464e30b.txt",
		"img": "https://archive.orkl.eu/86774c52a5bc411058226958a399fbcfd464e30b.jpg"
	}
}