Royal Ransomware adds support for encrypting Linux, VMware ESXi systems

Royal
Ransomware
operators
added
support
for
encrypting
Linux
devices
and
target
VMware
ESXi
virtual
machines.

The
Royal
Ransomware
gang
is
the
latest
extortion
group
in
order
of
time
to
add
support
for
encrypting
Linux
devices
and
target
VMware
ESXi
virtual
machines.

Other
ransomware
operators
already
support
Linux
encrypting,
including

AvosLocker,

Black
Basta,

BlackMatter,

HelloKitty,

Hive,

LockBit, Luna,

Nevada,

RansomEXX,
and

REvil. 

BleepingComputer
first

reported
that
Equinix
Threat
Analysis
Center
(ETAC)
researcher Will
Thomas discovered
the
Linux
variant
of
the
Royal
Ransomware.
The
new
variant
appends
the
.royal_u
extension
to
the
filenames
of
all
encrypted
files
on
the
VM.

Querying
VirusTotal
for
the
hash
that
was
shared
by
the
expert
we
can
verify
that
currently
the
ransomware
variant
has
a
detection
rate
of
32
our
of
63.

According
to
Thomas,
the
malware
is
executed
using
the
command
line
and
support
multiple
parameters
to
control
the
encryption
operations.

When
encrypting
files
the
ransomware
will
append
the
.royal_u
extension
to
all
encrypted
files
on
the
VM.

Royal
ransomware is
a
human-operated threat
that
first
appeared
on
the
threat
landscape
in
September
2022,
it
has
demanded
ransoms
up
to
millions
of
dollars.

Unlike
other
ransomware
operations,
Royal
doesn’t
offer
Ransomware-as-a-Service,
it
appears
to
be
a
private
group
without
a
network
of
affiliates.

Once
compromised
a
victim’s
network,
the
threat
actors
deploy
the
post-exploitation
tool
Cobalt
Strike
to
maintain
persistence
and
perform
lateral
movements.

Originally,
the
ransomware
operation
used
BlackCat’s
encryptor,
but
later
it
started
using
Zeon.
The
ransom
notes
(README.TXT)
include
a
link
to
the
victim’s
private
negotiation
page.
Starting
from
September
2022,
the
note
was
changed
to
Royal.

The
Royal
ransomware
can
either
fully
or
partially
encrypt
a
file
depending
on
its
size
and
the
‘-ep’
parameter.
The
malware
changes
the
extension
of
the
encrypted
files
to
‘.royal’.

In
November
2022,
researchers
from
the
Microsoft
Security
Threat
Intelligence
team warned that
a
threat
actor,
tracked
as
DEV-0569,
is
using
Google
Ads
to
distribute
various
payloads,
including
the
recently
discovered Royal
ransomware.
The
DEV-0569
group
carries
out
malvertising
campaigns
to
spread
links
to
a
signed
malware
downloader
posing
as
software
installers
or
fake
updates
embedded
in
spam
messages,
fake
forum
pages,
and
blog
comments.

In
December
2022,
the
US
Department
of
Health
and
Human
Services
(HHS)


warned
healthcare
organizations
of
Royal
ransomware
attacks.

BleepingComputer
forum
hosts
a
Royal
Ransomware
(.royal)


Support
Topic
on
this
specific
threat.

Last
week,
CERT-FR

warned
of
an
ongoing
campaign
targeting
ESXi
servers.
Yesterday
the

Italian
National
Cyber
Agency
also
warned
of
an
ongoing
massive
ransomware
campaign
targeting

VMware
ESXi
servers
worldwide,
including
Italian
systems.
The
attackers
are
attempting
to
exploit
the CVE-2021–21974 vulnerability.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
Ransomware)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts