The Quoter Ransomware is a file-locking Trojan specific to the RTM team, a threat actor that deploys banking Trojans against business entities in Eurasia. The Quoter Ransomware keeps the user's files from opening as part of a ransom scheme and usually acquires installation through previous, network-compromising attacks from other threats and remote administration tools. At-risk businesses should be vigilant against possible e-mail-based attacks and let dedicated anti-malware products remove the Quoter Ransomware.
Three Ways of Making Money Illicitly after a Single Breach
Throughout 2020 and into the new year, file-locking Trojans are observably diversifying their strategies for making money. An especially striking point in this direction, the Quoter Ransomware, shows the unreliability of encryption-countering backups for rolling back all problems that Trojans of this type might cause. The Quoter Ransomware is a new family-specific to RTM surprisingly – hackers better-known for dealing in banking Trojans.
The RTM group is targeting financial and transportation businesses inside Russia, predominantly but not exclusively. Initial infection vectors are, as is usual, e-mail phishing lures that bear workplace-related themes, tricking workers into opening the attached files. Doing so installs the RTM Banking Trojan. Because the Trojan also includes backdoor features, RTM attackers fully compromise the system and then the rest of the network.
If the Trojan is unsuccessful at collecting money, the hackers deploy the Quoter Ransomware as a fallback solution for their profits. The Quoter Ransomware uses AES-256 encryption for blocking files and drops ransom notes for victims, with average ransoms at a million USD. In the same fashion as the NEFILIM Ransomware, some versions of the AES-Matrix Ransomware, etc., the Quoter Ransomware also extorts money through threatening leaks of the company's data to publicly-visible websites.
Compensating for Crooks Making Money the Wrong Way
The Quoter Ransomware name is from its inserting additional quotes – such as Bible verses – into the internal data of encrypted files, although this feature isn't a notable part of its encryption's security. Besides the quirks unique to the Trojan, the Quoter Ransomware campaign also shows the value of multiple Trojans and third-party software to hackers. As in RTM's case, they may use remote admin applications like LiteManager for compromising multiple devices across various operating systems and delay the deployment of the file-locking Trojan until months after any initial breaches.
Users should be attentive to the staples of network security, such as using strong passwords, updating software, and avoiding unusual e-mail attachments, such as documents with embedded macros. Commonplace examples of disguises that malware experts confirm in the Quoter Ransomware campaign include fake subpoenas and refund requests. RDP access also should be kept under strict control.
The Quoter Ransomware's encryption routine is typically-efficient and should finish blocking files without much time. Users still can protect their data by backing it up and having anti-malware services for removing the Quoter Ransomware but remain at risk from other elements (data theft and leaks) of RTM's assaults.
As ongoing 'business' adaptations in black hat campaigns show, a backup isn't enough anymore, either for businesses or their workers. Not stopping a threat like the Quoter Ransomware from getting into a network is fast becoming a mistake with permanent repercussions.