Another day, another ransomware-as-a-service provider, or so it seems. The “Read The Manual” (RTM) Locker gang targets corporate environments, forcing their affiliates to follow a strict ruleset. Is this yet another ransomware gang, or is there more to this gang and their locker than meets the eye? This talk investigates the actor, along with a technical deep dive into their Windows ransomware executable.

Whereas some gangs have the desire to become (in)famous, breaking headlines with the group’s name, the RTM Locker gang is different. Their ruleset forces affiliates to operate under the radar, minimising their public exposure and thereby ensuring the group isn’t caught by the prying eyes of law enforcement and malware researchers alike.

Their approach, however, isn’t waterproof. This talk will bring the audience along for a technical deep dive into the Windows ransomware executable, along with an overview of the group’s specific rules. Additionally, the group’s activity is peculiar, given that their locker is being reworked without outlets having reported on their initial version.