RTM Locker Ransomware Burns Victims Twice


A threat group named “Read The Manual” (RTM) Locker is using ransomware to target corporate environments and is enforcing strict rules on its affiliates. The rules define a clear scope for potential targets, allowing affiliates to operate as they see fit.

The group’s primary objective is making money rather than a political motive. Most of these attacks likely begin with a simple phishing email. RTM Locker’s attacks are likely opportunity-based.

The group’s business-like approach shows its maturity as an organization. The RTM Locker group’s panel reveals its targets, rules, and tactics. The panel requires a username, password combination, and captcha code to prevent brute-force login attempts. RTM encourages its affiliates to add ransomed victims to be targeted again for a second attack to extort them.

Affiliates must remain active, or their accounts will be removed. All communication with the group must go through the TOX messenger, and linking any negotiation chat publicly is prohibited and will cause the affiliate to be banned.

RTM prohibits attacks against morgues, hospitals, and COVID-19 vaccine-related corporations. The group also explicitly warns its associates not to target vital infrastructure, law enforcement, or major corporations as they would draw unwanted attention.

Acreto Solution


Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications are encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Access Control
Acreto’s access controls provide Authorization access to the Ecosystem by a user’s identity, including MFA. By using MFA, even if a user’s credentials are compromised, the attacker will not be able to access the target resource without the additional authentication factor.

Threat Prevention

After verification of the network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

  • Threat Signature: Identifies and mitigates known bad exploits, malware, botnets and ransomware.
  • Zero-Day Behavioral Analysis: Looks for behavioral indications of threats based on how the system functions react to the payload, immediately and over time.

Technical Data

The attack flow sees the malware elevating privileges, shutting down selected processes and services (i.e. antivirus products), deleting shadow copies, and finally encrypting the files on the targeted systems.


About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

About The Author: Acreto Threat Labs

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.