This gang wrote the book on ransomware.

Apr 14 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s uncovering more cracks and secrets than a night at Hugh Hefner’s mansion. #riphef

Today’s hottest cyber security stories:

  • Read The Manual (RTM) hacking gang wrote the book on ransomware. Literally!
  • What’s up at WhatsApp? No more takeover attacks, bro!
  • How can a Searchlight be stealthy? Dark web tool is gamechanger


Just when I thought I was out, they pull me back in. Welcome to the RTM Locker ransomware gang where you can check out any time you like, but you can never leave. Ladies and gentlemen, RTM Locker puts the ‘organised’ in organised crime. And if you think we’re about to rein in the gangster rhetoric… you can ‘forget about it’! ????

So, the question is: what sets Russian-speaking (shock!) RTM Locker apart from the countless other ransomware hacking gangs that we’ve covered in this very newsletter? Well, the clues in the name…

Indeed, according to a report by cybersecurity firm Trellix: “The ‘Read The Manual’ Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang’s strict rules.” Read the manual, yo! Get with the program! Do the work!

Let me guess: The first rule of RTM Locker is you DO NOT TALK ABOUT RTM Locker.

Kidding aside, this is a well-thought out operation which is essentially a RaaS (Ransomware-as-a-Service), much like a MaaS (Malware-as-a-Service).

Instead of carrying out ransomware attacks directly itself, RTM Locker recruits foot soldiers (‘affiliates’) to carry out the dirty work and they pay for the privilege of using the gang’s tried and tested infrastructure (or ‘service’).

But don’t start DuoLingo-ing Russian just yet would-be gangsters, there are some stipulations… I mean, we actually weren’t a million miles away with our Fight Club reference.

RTM Locker malware builds are bound by strict mandates that forbid affiliates from leaking the samples, or else risk facing a ban. See: You DO NOT TALK ABOUT PROJECT RTM LOCKER.

Another rule says affiliates get excommunicated, shall we say, should they remain inactive for 10 days. You can check out anytime you like but you can never leave…

Another thing that sets RTM Locker apart from its ‘competitors’ (‘Conti’, for example) is its smart choice of victims. It avoids high profile targets such as CIS countries, morgues, hospitals, COVID-19 vaccine-related corporations, critical infrastructure, law enforcement, and other prominent companies.

“The RTM gang’s goal is to attract as little attention as possible, which is where the rules help them to avoid hitting high-value targets,” security researcher Max Kersten said.

“Their management of affiliates to accomplish that goal requires some level of sophistication, though it’s not a high level per se.”

Damn, it feels good to be a gangsta! Unless you run your mouth, or try to leave… Stay in school, kids!


WhatsApp dropped some hot news on Thursday, announcing a fresh security feature that will leave malware out in the cold.

Dubbed ‘Device Verification’, this safeguard is here to prevent hackers from hijacking your account and sending spam to your contacts.

“Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,” the Meta-owned company said in an announcement.

By blocking these bad actors and using some fancy cryptographic measures like a local security token, WhatsApp can keep your messages flowing uninterrupted. And just like that, you’re free to chat without the fear of getting hacked!

And that’s what’s up.


Good news for cybersecurity professionals! Searchlight Cyber has launched a new virtual machine which allows you to access the dark web and conduct investigations anonymously, reducing risks like accidental malware installation.

Think of it like a head torch for when you go cave diving. You wouldn’t go cave diving without a torch would you? Or maybe you wouldn’t at all… Probably wise.

So yeah, get ready to browse the dark side in a safer way! Searchlight Cyber, the dark web intelligence company, has just released Stealth Browser – a secure virtual machine that lets cyber professionals conduct anonymous investigations on the dark web without putting themselves or their organisations at risk.

This cool feature is an upgrade to Searchlight’s Cerberus investigation platform, which is popular among law enforcement agencies, businesses, and MSSPs for uncovering illegal activities on the dark web.

Searchlight Cyber said in a press release: “Stealth Browser reduces the risks associated with accessing the dark web by masking the investigator’s digital fingerprint, allowing both novice and experienced investigators to quickly and securely access Tor and I2P onions on the dark web.”

But imagine if this was to fall into the wrong hands ????????????

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he’s your Dawg, he got you.

MONDAY: Expert reveals five things we’re all doing wrong everyday

TUESDAY: One million WordPress sites injected

WEDNESDAY: Urgent Iphone update required

THURSDAY: Fair Dinkum to the Aussie’s

footer graphic cyber security newsletter

Recent articles