Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.
BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.
It also comes with support for multiple flags that will give the ransomware operators some control over the encryption process:
- -stopvm > stops all running VMs so they can be encrypted
- -vmonly – Only encrypt virtual machines
- -fork – unknown
- -logs – unknown
- -id: id must be 32 characters
When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.
While anti-malware solutions had issues detecting Royal Ransomware samples that bundle the new targeting capabilities, they’re now detected by 23 out of 62 malware scanning engines on VirusTotal.
Who is Royal Ransomware?
Royal Ransomware is a private operation comprised of seasoned threat actors who previously worked with the Conti ransomware operation
Starting in September, Royal ramped up malicious activities months after first being spotted in January 2022.
While they initially utilized encryptors from other operations, such as BlackCat, they transitioned to using their own, starting with Zeon which dropped ransom notes similar to those generated by Conti.
In mid-September, the group rebranded as “Royal” and began deploying a new encryptor in attacks that produces ransom notes with the same name.
The gang demands ransom payments ranging from $250,000 to tens of millions after encrypting their targets’ enterprise network systems.
In December, the U.S. Department of Health and Human Services (HHS) warned of Royal ransomware attacks targeting organizations in the Healthcare and Public Healthcare (HPH) sector.
Most ransomware strains now also target Linux
The ransomware groups’ shift towards targeting ESXi virtual machines aligns with a trend where enterprises have transitioned to VMs as they come with improved device management and much more efficient resource handling.
After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers.
“The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically,” Wosar told BleepingComputer last year.
You can find more info on Royal Ransomware and what to do if you get hit in this support topic on the BleepingComputer forum.
Tens of thousands of VMware ESXi servers exposed on the Internet reached their end-of-life in October, according to a Lansweeper report.
These systems will only receive technical support from now on but no security updates, which exposes them to ransomware attacks.
To put things in perspective and show just how exposed to attacks such servers are, a new ransomware strain known as ESXiArgs was used to scan for and encrypt unpatched servers in a massive campaign targeting ESXi devices worldwide this Friday.
Within just a few hours, over 100 servers worldwide were compromised in these attacks, according to a Shodan search.