A
new
Linux
version
of
Royal
ransomware
is
targeting
VMware
ESXi
virtual
machines.
Learn
more
about
this
security
threat
and
how
to
protect
from
it.
Adobe
Stock
Royal
ransomware
is
malware
that
first
appeared
around
September
2022.
The
people
behind
this
ransomware
are
probably
a
subgroup
of
the
infamous
Conti
threat
actor.
This
subgroup,
which
is
called
Conti
Team
1,
released
the
Zion
ransomware
before
rebranding
it
as
Royal
ransomware.
Royal
spread
so
fast
because
it
became
the
ransomware
making
the
biggest
number
of
victims
in
November
2022
(Figure
A),
taking
the
lead
in
front
of
the
LockBit
ransomware.
Figure
A
Twitter.
Royal
ransomware
is
the
most
impacting
ransomware
in
November
2022.
Jump
to:
Royal
ransomware’s
delivery
techniques
The
Royal
ransomware
is
spread
via
multiple
ways
with
the
most
common
technique
being
phishing,
according
to
Cyble
Research
&
Intelligence
Labs.
The
malware
was
reported
in
November
2022
by
insurance
company
At-Bay
as
being
likely
the
first
ransomware
to
successfully
exploit
a
Citrix
vulnerability,
CVE-2022-27510,
and
gain
access
to
devices
with
Citrix
ADC
or
Citrix
Gateway
to
operate
ransomware
attacks.
The
threat
actor
used
the
Citrix
vulnerability
before
any
public
exploit,
showing
that
the
ransomware
group
is
amongst
the
most
sophisticated
ransomware
threat
actors.
Royal
ransomware
also
might
be
spread
by
malware
downloaders,
such
as
QBot
or
BATLOADER.
Contact
forms
from
companies
were
also
used
to
distribute
the
ransomware.
The
threat
actor
first
initiates
a
conversation
on
the
target’s
contact
form,
and
once
a
reply
is
provided
by
email,
an
email
containing
a
link
to
BATLOADER
is
sent
to
the
target
in
order
to
operate
Royal
ransomware
in
the
end.
Royal
ransomware
has
also
been
distributed
via
Google
Ads
or
via
the
installation
of
fake
software
pretending
to
be
legitimate
such
as
Microsoft
Teams
or
Zoom,
hosted
on
fake
websites
looking
legitimate.
Microsoft
reported
about
a
fake
TeamViewer
website
that
delivered
a
BATLOADER
executable
that
deployed
Royal
ransomware
(Figure
B).
Figure
B
Microsoft.
Fake
TeamViewer
website
delivering
malware.
Uncommon
file
formats
such
as
Virtual
Hard
Disk
impersonating
legitimate
software
have
also
been
used
as
first
stage
downloaders
for
Royal
ransomware.
Royal
ransomware’s
targets
The
most
impacted
industries
targeted
by
Royal
ransomware
are
manufacturing,
professional
services,
and
food
and
beverages
(Figure
C).
Figure
C
Cyble.
Industries
targeted
by
Royal
ransomware.
As
for
the
location
of
those
industries,
Royal
ransomware
mostly
targets
the
U.S.,
followed
by
Canada
and
Germany
(Figure
D).
Figure
D
Cyble.
Royal
ransomware
targeting
by
country.
The
financial
range
for
the
ransoms
requested
by
the
group
varies
depending
on
the
target
from
$250,000
USD
to
over
$2
million
USD.
A
new
Linux
threat
targeting
VMware
ESXi
The
new
Royal
ransomware
sample
reported
by
Cyble
is
a
64-bit
Linux
executable
compiled
using
GNU
Compiler
Collection.
The
malware
first
performs
an
encryption
test
that
terminates
the
malware
if
it
fails;
it
consists
of
simply
encrypting
the
word
“test”
and
checking
the
result.
SEE:
Massive
ransomware
operation
targets
VMware
ESXi
(TechRepublic)
The
malicious
code
then
collects
information
about
running
VMware
ESXi
virtual
machines
via
the
esxcli
command-line
tool
and
saves
the
output
in
a
file
before
terminating
all
of
the
virtual
machines
by
using
once
again
the
esxcli
tool.
Multi-threading
is
then
deployed
by
the
ransomware
to
encrypt
files,
excluding
a
few
files
such
as
its
own
files:
readme
and
royal_log_*
files
and
files
with
.royal_u
and
.royal_w
file
extensions.
It
also
excludes
.sf,
.v00
and
.b00
extensions.
A
combination
of
RSA
and
AES
encryption
algorithms
is
used
for
the
encryption.
As
the
malware
encrypts
data,
it
creates
the
ransom
notes
in
a
parallel
process
(Figure
E).
Figure
E
Fortinet.
Ransom
note
from
Royal
ransomware.
How
to
protect
from
this
Royal
ransomware
threat
Since
the
threat
actor
uses
a
variety
of
techniques
to
breach
companies
and
deploy
the
Royal
ransomware,
several
vectors
of
infection
need
to
be
secured.
Further,
the
threat
actor
has
already
proved
it
was
able
to
trigger
non-public
exploits
on
software,
so
all
operating
systems
and
software
need
to
be
always
up
to
date
and
patched.
Emails
are
the
most
commonly
used
way
for
breaching
companies,
and
this
is
true
for
the
Royal
ransomware
gang.
Therefore,
security
solutions
need
to
be
deployed
on
the
web
servers,
and
admins
should
check
all
attached
files
and
links
contained
inside
emails
for
any
malicious
content.
The
check
should
not
only
be
an
automated
static
analysis
but
also
a
dynamic
one
via
sandboxes.
Browsers’
content
should
be
analyzed,
and
browsing
to
unknown
or
low-reputation
websites
should
be
blocked,
as
the
Royal
ransomware
gang
sometimes
uses
new
fake
websites
to
spread
their
malware.
Data
backup
processes
should
be
established,
with
backups
being
regularly
done
but
kept
offline.
Finally,
employees
should
be
made
aware
of
this
ransomware
threat,
particularly
those
who
manipulate
emails
from
unknown
sources,
such
as
press
relations
or
human
resources.
Read
next:
Security
Awareness
and
Training
Policy
(TechRepublic
Premium)
Disclosure:
I
work
for
Trend
Micro,
but
the
views
expressed
in
this
article
are
mine.
About Author
