Quoter Ransomware

SpearTip | March 4th, 2021


The new Quoter ransomware strain has been discovered in use as a backup plan to a popular banking trojan, RTM (Read The Manual). RTM utilizes email phishing to fool victims into clicking on links and stealing credentials. Should their initial payload fail to execute, they’ll deploy the new Quoter ransomware strain because of the famous movie quotes embedded in their code.

Details of New Quoter Ransomware

What’s unusual about this Russian-speaking threat group is the fact they’ve targeted and attacked Russian entities. Most Russian threat groups follow the unwritten rule of not targeting any Russian organizations. However, they have attacked some organizations outside of the country as well.

Within RTM’s phishing emails are subject lines such as “Subpoena,” “Request for refund”, “Closing Documents”, and “copies of documents for the last month.” Your employees should be aware of these types of phishing emails and have the ability to identify them. This is one of the main ways threat actors gain administrative access to entire organizations with a simple click.

The trojan will gain control of an environment and substitute account credentials when the victim attempts to make a payment or transaction online.

When this threat group gets a user to click on an email and successfully infiltrates an environment, but their payload fails, they’ll deploy the new Quoter ransomware. The new strain will encrypt files and request a ransom demand. As of today, the group is averaging $1 million per request.

The third step in RTM’s attack plan comes via the usual double extortion we’ve seen utilized by many groups over the past year. Victims either refuse to pay the demand or ignore it completely and this is when the group threatens to release the information or post it on their leak sites in order to coerce payments.

In conclusion, be prepared. The only way to ensure you’re not susceptible to attacks from malicious threat actors is by engaging with a security firm like SpearTip. Allow our cyber experts to take the weight off your team’s shoulders and rest assured knowing certified engineers are monitoring your environment every moment of the day. They work in conjunction with our ShadowSpear® Platform which utilizes a SIEM to sort information. The SIEM helps verify threats for a simplified and rapid response.

SpearTip’s cyber professionals continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.