A look into the “Read the Manual” ransomware-as-a-service gang.

Trellix shared some behind-the-scenes insight into the operations and goals of the Read the Manual ransomware-as-a-service (RaaS) gang yesterday, known prior for their ransomware activity against corporate enterprises. The threat actors also have a notable, specific set of rules that require strict adherence from affiliates.

A setup reminiscent of above-board business practices.

The gang’s operations have been observed to be similar to that of legitimate, corporate organizations. The hackers require their affiliates to remain active or make their leave known, lest ten days pass without notification; in which case the offending affiliate will be locked out of the gang’s panel. Entry into the aforementioned panel requires a username and password for affiliates, as well as the entry of a CAPTCHA code. Once the user has entered the panel, they can add ransomed victims, and set a timer for the release of the data. A section of a ransom note from the gang reads: “All your documents, photos, reports, customer and employee data, databases and other important files are encrypted and you cannot decrypt them yourself. They are also on our servers!”

The gang’s intentions: obfuscation of activity.

The hackers work quietly behind the scenes, and like it that way. In order to maintain a low profile, Trellix reports that certain targets are off-limits. “CIS countries are excluded, as well as morgues, hospitals, and COVID-19 vaccine related corporations,” says the security firm. It’s noted that dentistry, however, is fair game (the use of the word “hospitals” rather than doctor’s offices as a point of exclusion is highlighted by researchers). One rule in particular emphasizes the avoidance of making headlines, which also removes “vital infrastructure, law enforcement, and other major corporations” as targeting points. In the case that a major corporation is impacted and/or makes headlines, all references and traces connected to the RTM gang are to be immediately removed, with negotiations to take place on a differing platform.

The threat actors also keep their malware builds under wraps to keep from extended analysis. Samples analyzed by researchers were even found to contain “a self-delete mechanism which is invoked once the victim’s device is encrypted.” Affiliates guilty of sample leaks risk a ban from the platform and activity, dependent on the ID associated with the locker sample.

Characteristics of those involved in the gang.

The researchers suspect that there are affiliates and gang members with opposing takes on the hybrid war between Russia and Ukraine. The gang seems to be opportunistic in their attacks and driven by financial motives, rather than fueled by political ideologies.

An expert opinion on the threat.

Erich Kron, security awareness advocate at KnowBe4, believes that the gang’s activity is evidence of their maturity and humanity, and provides advice for organizational defense:

“This peek behind the curtains gives a good look into the human aspect that makes up these faceless ransomware gangs. By requiring affiliates to remain active, they not only make it more inconvenient for law enforcement and security researchers, but can also ensure that they can share information with affiliates relatively quickly. This could come in handy if they need to change tactics or lay low for a while if they draw the attention of law enforcement. It's also a great way to make the affiliates have consistent touch points with the developers, possibly keeping them from migrating to other gangs.

"Knowing that they are avoiding attacks on certain industries in order to avoid the kind of attention that puts a gang in the crosshairs of international law enforcement, is a sign of the gang's maturity and ability to learn from the mistakes of others. The rules that the RTM gang have in place appear to be well defined but are strict. This is a wise move when you are dealing with other people, such as their affiliates, with a broken moral compass.

"Because they use affiliates, it's likely that the attack vectors are not always the same. This will vary depending on the affiliate beginning the attack, however, more than likely most of these attacks will be started with a simple phishing email. For organizations to defend themselves, wisdom dictates that educating employees on how to spot and report phishing emails, having robust and tested backups in place, and having well-tuned data loss prevention controls can go a long way toward minimizing the impact that these potential threats have on organizations.”