View All R&D Articles

The RTM Locker Ransomware Group: 4 Quick Facts

April 17, 2023

RTM (Read The Manual) Group is a Ransomware-as-a-Service (RaaS) organization that has attacked businesses in the United States and other countries. Like most ransomware groups, RTM gains access to target systems through phishing, software vulnerabilities, or other attack vectors, then deploys ransomware to encrypt important data.

The victim is extorted into paying a ransom via cryptocurrency. As many RTM members are based in Russia, paying the ransom may be illegal (read why ransomware payments can lead to civil penalties for U.S. organizations). 

Notably, RTM has gone to great efforts to remain in the shadows — the group’s operations have been described as “business-like” by CyberWire and other outlets. Members must follow fairly strict rules to remain associated with RTM.

Here are a few quick facts about RTM’s operations.

1. RTM Locker targets corporate enterprises, but their target list is strictly limited.

RTM hackers must follow a code of conduct to gain access to the group’s resources:

  • The group discourages attacks that “make headlines,” particularly attacks against public infrastructure or major corporations.
  • Morgues, COVID-19 vaccine manufacturers, and hospitals are also off-limits.
  • If an attack makes headlines, the member must remove all references to the RTM hacking group.
  • RTM affiliates log into the RaaS through a pane and must complete a CAPTCHA code. The CAPTCHA is intended to prevent security researchers from attempting brute-force attacks.

Despite these tactics, RTM has gradually gained notoriety. While RTM was probably established some time in 2015, the group’s profile has grown — ironically, because of their unique commitment to remaining obscure.

2. RTM Locker’s encryption builds self-delete after activation.

This prevents ransomware researchers from studying the ransomware for vulnerabilities. Many other ransomware variants contain self-destruct mechanisms, which vary in functionality.

RTM’s builds disable antivirus software, terminate backup services, and target existing backups/shadow copies. The goal is to prevent the victim from having any option for data recovery (other than paying the ransom). 

It’s likely that each build of the ransomware also contains “signatures,” markers intended to identify the hacker behind each attack — which would enable the RTM group to expel members who leak the software.

3. The RTM gang seems to be based in Russia.

The RTM group uses Russian and English in their internal communications. Since the group has a rule against attacking targets in Russia and Russia-affiliated nations, security researchers believe that the group is largely based in the Commonwealth of Independent States (CIS). 

Some research suggests that the group’s members have differing opinions on the Russia-Ukraine conflict. However, RTM is explicitly apolitical — they’re motivated by profit, not by ideology.

4. Paying the RTM Locker ransom will not end the threat.

RTM engages in “double-extortion.” After the victim’s data is decrypted, the group maintains the stolen data and shares it with other members. This increases the likelihood of repeat attacks and gives members an opportunity to sell information about security vulnerabilities.

At, our experts have extensively analyzed attacks from RTM and other RaaS groups. If your system has been infected by an RTM build, we’re ready to help. 

Our team will work with your organization to identify and close attack vectors, restore data from backups, and determine whether data decryption is possible. While RTM’s methods are sophisticated, a qualified ransomware recovery partner can help you recover from an attack — and prevent future incidents.

To speak with an expert, call 1-800-237-4200 or submit a case online.