The Read The Manual (RTM) ransomware group has been observed by security researchers at Trellix targeting corporate environments. According to an advisory that Trellix published last week, the group takes a businesslike approach and forces affiliates to adhere to a strict set of rules. The company was able to analyze RTM Locker group’s panel, which allowed the security researchers to examine their rules, targets, tactics, and other pertinent information.

Trellix has observed similar tactics before, and stated that they enable RTM Locker to attempt to extort victims twice. The panel’s login page requires a username and password, as well as a CAPTCHA test. Affiliates can add ransomed victims within the panel, Trellix says. The extortion comes in two stages, first with file encryption and later in naming victims by publishing the stolen data. The group attempts to fly below the radar and make money off of their malicious activities while being unnoticed by security companies and law enforcement. The affiliates have to remain active in their exploits, or their account will be removed. This encourages affiliates to conduct a high amount of attacks that don’t draw excess attention. For this reason, the group avoids law enforcement agencies, major corporations, government entities, and vital infrastructure.

Read More: RTM Locker Gang Targets Corporate Environments with Ransomware