RTM cybergang uses new Quoter ransomware to target finance and transport organisations
March 2021 by Kaspersky
Since December 2020, Kaspersky has detected an ongoing series of targeted attacks against financial and transport companies using a new ransomware dubbed Quoter. The attacks have been carried out by a notorious Russian-speaking actor, RTM, which has specialised in targeting corporate users since 2016. The attackers demand an average of one million dollars in ransom each time. This new ransomware is the first upgrade of a well-known toolkit usually employed by this group. Moreover, the cybergang, which traditionally hunts down organisations outside of Russia, has attacked organisations in its own country for the first time, signaling ongoing changes in this criminal group’s strategy.
The recent attacks, which more or less follow the standard pattern of RTM activity, were first detected in December 2020 and are still ongoing. Primary infection occurs through the distribution of phishing emails. The attackers choose a topic that they calculate will force the recipient to open the letter, such as "Request for refund" or "Copies of documents for the last month”. If the target clicks on a link or opens an attachment, the RTM Trojan is downloaded to their device.
After having successfully entered the system, the attackers try to transfer money through accounting programs by replacing payment order details, either by using malicious software or manually with remote access tools. If the attackers fail, they then launch the Quoter ransomware. The program encrypts data and leaves contacts to communicate with the attackers. If the victim does not respond, the attackers announce that they are ready to put the stolen confidential information into the public domain and attach evidence. Several months pass between initial system infection and application of the ransomware. “These incidents indicate an interesting trend where attackers are using ransomware as an additional leverage to achieve their goals. Their tactics include the use of several tools at once – such as a phishing email with a banking Trojan and an encryption program,” comments Sergey Golovanov, Principal Security Researcher at Kaspersky. “The fact that RTM has attacked Russian organisations is unusual as the standard practice is to use such ransomware tools against organisations in other countries. This, however, does not mean that they will stick to this tactic, and we may see such attacks in other regions in the near future.”
Kaspersky solutions detect the Quoter ransomware as Trojan-Ransom.Win32.Quoter.
To counter sophisticated attacks, Kaspersky recommends to:
• Conduct cybersecurity training for employees on a regular basis, such as Kaspersky Automated Security Awareness Platform, since targeted attacks often start with phishing and other social engineering techniques.
• Always have fresh back-up copies of your files so you can replace them in case they are lost and store them not only on the physical device but also in cloud storage for greater reliability. Make sure you can quickly access them in an emergency when needed.
• Regularly check if the enterprise has network segments that must be isolated from other networks and the internet; for example, by conducting periodic security analysis and penetration tests.
• Restrict access to remote management tools from external IP addresses. Ensure that remote control interfaces can only be accessed from a limited number of endpoints.
• Implement an EDR solution that detect attacks that are misusing legitimate software, such as remote access tools.
• Never pay the ransom if you become a victim. Ransomware is a criminal offence. Paying won’t guarantee you get your data back or that criminals won’t put it into the public domain, but it will encourage criminals to continue their business. Instead, report the incident to your local authority.