VMware ESXi servers subjected to RTM Locker ransomware for Linux attacks

Threat actors have been targeting VMware ESXi servers with a Linux variant of the RTM Locker ransomware strain based on leaked Babuk ransomware source code, according to BleepingComputer. Attempted encryption of all VMware ESXi virtual machines commences upon launching the RTM Locker Linux encryptor, which will then be followed by the termination of all running VMs and the encryption of log, virtual disk, virtual machine memory, VM snapshot, and swap files, a report from Uptycs revealed. Researchers also found that ECDH on Curve25519 and ChaCha20 are being used by RTM Locker for asymmetric and symmetric encryption, respectively, while static implementation of cryptographic algorithms into the binary code has enhanced encryption reliability for the ransomware strain. RTM Locker was also found to leverage Tox for ransom payment negotiations, a change from using Tor sites. Such findings indicate the significant enterprise threat posed by RTM Locker although BleepingComputer noted the relative inactivity of the RTM Locker operation.