Pierluigi Paganini February 06, 2023

Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines.

The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines.

Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, LockBit, Luna, Nevada, RansomEXX, and REvil. 

BleepingComputer first reported that Equinix Threat Analysis Center (ETAC) researcher Will Thomas discovered the Linux variant of the Royal Ransomware. The new variant appends the .royal_u extension to the filenames of all encrypted files on the VM.

Querying VirusTotal for the hash that was shared by the expert we can verify that currently the ransomware variant has a detection rate of 32 our of 63.

According to Thomas, the malware is executed using the command line and support multiple parameters to control the encryption operations.

When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.

Royal ransomware is a human-operated threat that first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.

Once compromised a victim’s network, the threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.

Originally, the ransomware operation used BlackCat’s encryptor, but later it started using Zeon. The ransom notes (README.TXT) include a link to the victim’s private negotiation page. Starting from September 2022, the note was changed to Royal.

The Royal ransomware can either fully or partially encrypt a file depending on its size and the ‘-ep’
parameter. The malware changes the extension of the encrypted files to ‘.royal’.

In November 2022, researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware. The DEV-0569 group carries out malvertising campaigns to spread links to a signed malware downloader posing as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

In December 2022, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

BleepingComputer forum hosts a Royal Ransomware (.royal) Support Topic on this specific threat.

Last week, CERT-FR warned of an ongoing campaign targeting ESXi servers. Yesterday the Italian National Cyber Agency also warned of an ongoing massive ransomware campaign targeting VMware ESXi servers worldwide, including Italian systems. The attackers are attempting to exploit the CVE-2021–21974 vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ransomware)