RTM Locker ransomware for Linux targets servers running VMware ESXi (4th May 2023)

Ref# AL2023_26 | Date: May 4th 2023


RTM Locker is the most current ransomware campaign that targets organizations and has been found to target virtual machines on VMware ESXi systems utilizing a Linux encryptor.

The “Read the Manual” Locker gang utilizes affiliates to hold individuals for ransom, and each victim is required to follow the gang”s stringent regulations.


RTM Locker (also known as Read The Manual Locker) is ransomware that encrypts files, modifies the desktop background, downloads a file called “How To Restore Your Files.txt” that contains a ransom demand, and appends 64 random characters to the filenames of all encrypted files. RTM Locker is advertised as ransomware as a service (RaaS), as is well known. Malicious advertisements, torrent websites, and infected email attachments (macros) are all ways that RTM Locker is distributed.

Locker ransomware appears to be influenced by Babuk ransomware”s leaked source code and affects Linux, NAS, and ESXi hosts. It combines Chacha20 (symmetric encryption) with ECDH on Curve25519 (asymmetric encryption) to encrypt files. Due to the presence of two related commands, the virus is specifically targeted at ESXi hosts. Its original access point is still a mystery. It is impossible to decrypt files with either symmetric or asymmetric encryption without the attacker”s private key.

Indicators of compromise (IOCs) 


SHA-256 – c41a2ddf8c768d887b5eca283bbf8ea812a5f2a849f07c879808845af07409ed

SHA-1 – eaad989098815cc44e3bcb21167c7ada72c585fc

MD-5 – 3416b560bb1542af1124b38fb344fa1f

An example of how RTM Locker renames files: it transforms “1.jpg” to “1.jpg.4117E5B4E58CF57DBE56C6EC62D6A123F429A2F014D0F5C943A014D76126E96A”, “2.png” to “2.png.24645DABEFE1F375A68DC87A394BBF5872AE166358EAE75B1A524EA9FDC92E5A”, and so on.


To protect yourself against ransomware attacks, it is recommended to practice proper cyber security hygiene when navigating the internet. Here are some tips to consider:

1. Because most ransomware attacks are delivered through phishing and scams, it is necessary that users know how to spot phishing and scam emails.

2. Be wary of files downloaded from the internet. Any file should be downloaded by verified sources and scanned.

3. Be on the lookout for websites that may be compromised and attempt a drive-by download.

4. Maintain regular backups of critical systems and data in the case of a ransomware attack.

5. Restrict administrative and system access to users who do not require those privileges.

6. Maintain and update all security software including anti-virus, anti-malware, firewalls and endpoint protections.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: RTM Locker ransomware for Linux targets servers running VMware ESXi.pdf