Royal Ransomware

Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.

BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black BastaLockBit, BlackMatter, AvosLockerREvil, HelloKitty, RansomEXX, and Hive.

The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.

It also comes with support for multiple flags that will give the ransomware operators some control over the encryption process:

  • -stopvm > stops all running VMs so they can be encrypted
  • -vmonly - Only encrypt virtual machines
  • -fork - unknown
  • -logs - unknown
  • -id: id must be 32 characters

When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.

While anti-malware solutions had issues detecting Royal Ransomware samples that bundle the new targeting capabilities, they're now detected by 23 out of 62 malware scanning engines on VirusTotal.

Royal_Ransomware_ESXi_detections_VT
Detection score on VirusTotal

​Who is Royal Ransomware?

Royal Ransomware is a private operation comprised of seasoned threat actors who previously worked with the Conti ransomware operation

Starting in September, Royal ramped up malicious activities months after first being spotted in January 2022.

While they initially utilized encryptors from other operations, such as BlackCat, they transitioned to using their own, starting with Zeon which dropped ransom notes similar to those generated by Conti.

In mid-September, the group rebranded as "Royal" and began deploying a new encryptor in attacks that produces ransom notes with the same name. 

The gang demands ransom payments ranging from $250,000 to tens of millions after encrypting their targets' enterprise network systems. 

In December, the U.S. Department of Health and Human Services (HHS) warned of Royal ransomware attacks targeting organizations in the Healthcare and Public Healthcare (HPH) sector.

Royal ransomware submissions
Royal ransomware submissions (ID Ransomware)

​Most ransomware strains now also target Linux

The ransomware groups' shift towards targeting ESXi virtual machines aligns with a trend where enterprises have transitioned to VMs as they come with improved device management and much more efficient resource handling. 

After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers.

"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar told BleepingComputer last year.

You can find more info on Royal Ransomware and what to do if you get hit in this support topic on the BleepingComputer forum.

Tens of thousands of VMware ESXi servers exposed on the Internet reached their end-of-life in October, according to a Lansweeper report.

These systems will only receive technical support from now on but no security updates, which exposes them to ransomware attacks.

To put things in perspective and show just how exposed to attacks such servers are, a new ransomware strain known as ESXiArgs was used to scan for and encrypt unpatched servers in a massive campaign targeting ESXi devices worldwide this Friday.

Within just a few hours, over 100 servers worldwide were compromised in these attacks, according to a Shodan search.

Related Articles:

Linux version of TargetCompany ransomware focuses on VMware ESXi

Linux version of RansomHub ransomware targets VMware ESXi VMs

UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs

Meet Brain Cipher — The new ransomware behind Indonesia's data center attack

Infosys McCamish says LockBit stole data of 6 million people