[Virus/Malware Activity Report: RTM Locker Ransomware]

Due to a breach believed to be in the form of RTM Locker ransomware, we would like to
confirm the situation and provide a warning as follows.

RTM Locker ransomware

The ransomware is called RTM Locker and appears to be changing all files by file name, extension, and individual password values.

How it works

file version

[Figure 1 Ransomware compiler information]

[Figure 2 File information in window properties]

behavioral process

• Kill specific running processes

  For smooth encryption, document processes, SQL, and security/backup processes are forcibly terminated by comparing them to a specific name.

  
  [Figure 3 (left) static code / (right) part compared to a specific name when dynamically executed]

• Stop specific services

  Commands a stop service to have the name of a specific backup/SQL/security service.

  
  [Figure 4 (left) static code / (right) services that issue stop commands when dynamically executed]

• Change wallpaper

  Check the location of the Temp folder, create an image file with the built-in binary value, and then change the desktop settings to the image.

  
  [Figure 5 (left) static code / (right) actual image creation and settings change during dynamic execution]

Infection results

The guidance file, How To Restore Your Files.txt, is created in each path, and when encryption is performed, the files are changed to <file name.extension.individual password value> and the desktop is changed upon completion.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 10 Block message]

Watch RTM Locker blocking video