Royal Ransomware Goes Cross-Platform, Targets Linux & VMware ESXi Virtual Machines

Continue reading
In an ever-evolving threat landscape, the latest development on Royal Ransomware has risen in prominence with its cross-platform spread. This vicious ransomware has now added support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.
Royal Ransomware operation is a private group of experienced threat actors who previously worked with the notorious Conti ransomware group. They first emerged in January 2022 and ramped up their malicious activities starting in September of the same year. Initially, the group utilized encryptors from other operations such as BlackCat. However, they later transitioned to using their own, starting with the Zeon encryptor which dropped ransom notes similar to those generated by Conti.
In mid-September, the group rebranded as "Royal" and began deploying a new encryptor in their attacks, which produced ransom notes with the same name. The gang demands ransom payments ranging from $250,000 to tens of millions of dollars after encrypting the enterprise network systems of their targets. In December, the U.S. Department of Health and Human Services (HHS) warned of Royal ransomware attacks targeting organizations in the Healthcare and Public Healthcare (HPH) sector.
The ransomware group's shift towards targeting ESXi virtual machines aligns with a trend where enterprises have transitioned to using VMs due to their improved device management and more efficient resource handling. After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers. This makes it easier for them to access valuable information and hold it for ransom.
Furthermore, the reason for most ransomware groups, including Royal, to implement a Linux-based version of their ransomware is to target ESXi specifically. The rise of Linux-based ransomware is a cause for concern, as many IT professionals are not well-versed in this operating system and may not have the proper security measures in place.
According to a Lansweeper report, tens of thousands of VMware ESXi servers exposed on the internet reached their end-of-life in October. These systems will only receive technical support from now on but no security updates, leaving them vulnerable to attacks. This was evident in a recent attack where a new ransomware strain known as ESXiArgs was used to scan for and encrypt unpatched servers in a massive campaign targeting ESXi devices worldwide. Within just a few hours, over 100 servers worldwide were compromised in these attacks, according to a Shodan search.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.