SpearTip | March 4th, 2021

A new ransomware strain has been discovered in use as a backup plan to a popular banking trojan, RTM (Read The Manual).

RTM utilizes email phishing to fool victims into clicking on links and stealing credentials. Should their initial payload fail to execute, they’ll deploy a new ransomware strain called “Quoter” because of the famous movie quotes embedded in their code.

What’s unusual about this Russian-speaking threat group is the fact they’ve targeted and attacked Russian entities. Most Russian threat groups follow the unwritten rule of not targeting any Russian organizations. However, they have attacked some organizations outside of the country as well.

Within RTM’s phishing emails are subject lines such as “Subpoena,” “Request for refund”, “Closing Documents”, and “copies of documents for the last month.” Your employees should be aware of these types of phishing emails and have the ability to identify them. This is one of the main ways threat actors gain administrative access to entire organizations with a simple click.

The trojan will gain control of an environment and substitute account credentials when the victim attempts to make a payment or transaction online.

When this threat group gets a user to click on an email and successfully infiltrates an environment, but their payload fails, they’ll deploy the new ransomware Quoter. The new strain will encrypt files and request a ransom demand. As of today, the group is averaging $1 million per request.

The third step in RTM’s attack plan comes via the usual double extortion we’ve seen utilized by many groups over the past year. Victims either refuse to pay the demand or ignore it completely and this is when the group threatens to release the information or post it on their leak sites in order to coerce payments.

In conclusion, be prepared. The only way to ensure you’re not susceptible to attacks from malicious threat actors is by engaging with a security firm like SpearTip. Allow our cyber experts to take the weight off your team’s shoulders and rest assured knowing certified engineers are monitoring your environment every moment of the day. They work in conjunction with our ShadowSpear® Platform which utilizes a SIEM to sort information. The SIEM helps verify threats for a simplified and rapid response.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.