At a glance.
- "Read the Manual" and the ransomware-as-a-service market.
- Bitter APT may be targeting Asia-Pacific energy companies.
- Cozy Bear sighting.
- Hacktivist auxiliaries hit Canadian targets.
- An arrest in the Discord Papers case.
"Read the Manual" and the ransomware-as-a-service market.
Trellix shared some behind-the-scenes insight into the operations and goals of the Read the Manual ransomware-as-a-service (RaaS) gang yesterday, known prior for their ransomware activity against corporate enterprises. The threat actors also have a notable, specific set of rules that require strict adherence from affiliates. The gang requires its affiliates to remain active or make their leave known, lest ten days pass without notification; in which case the offending affiliate will be locked out of the gang’s panel. Accessing the panel requires a username and password for affiliates, as well as the entry of a CAPTCHA code. Once the user has entered the panel, they can add ransomed victims, and set a timer for the release of the data. A section of a ransom note from the gang reads: “All your documents, photos, reports, customer and employee data, databases and other important files are encrypted and you cannot decrypt them yourself. They are also on our servers!”
Trellix reports that certain targets are off-limits. “CIS countries [former Soviet Republics] are excluded, as well as morgues, hospitals, and COVID-19 vaccine related corporations." For some reason dentistry is fair game (the use of the word “hospitals” rather than doctor’s offices as a point of exclusion is also highlighted by researchers). One rule in particular emphasizes the avoidance of making headlines, which also removes “vital infrastructure, law enforcement, and other major corporations” as targeting points. In the case that a major corporation is impacted and/or makes headlines, all references and traces connected to the RTM gang are to be immediately removed, with negotiations to take place on a differing platform.
The researchers suspect that there are affiliates and gang members on opposite sides of the war between Russia and Ukraine. In any case, the gang seems to be opportunistic in their attacks and driven by financial as opposed to political motives. For more on Read the Manual, see CyberWire Pro.