Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Royal Ransomware adds support for encrypting Linux, VMware ESXi systems

Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, […]

Reynolds ransomware uses BYOVD to disable security before encryption ransomware

Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines.

The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines.

Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, LockBitLuna, Nevada, RansomEXX, and REvil

BleepingComputer first reported that Equinix Threat Analysis Center (ETAC) researcher Will Thomas discovered the Linux variant of the Royal Ransomware. The new variant appends the .royal_u extension to the filenames of all encrypted files on the VM.

Querying VirusTotal for the hash that was shared by the expert we can verify that currently the ransomware variant has a detection rate of 32 our of 63.

According to Thomas, the malware is executed using the command line and support multiple parameters to control the encryption operations.

When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.

Royal ransomware is a human-operated threat that first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.

Once compromised a victim’s network, the threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.

Originally, the ransomware operation used BlackCat’s encryptor, but later it started using Zeon. The ransom notes (README.TXT) include a link to the victim’s private negotiation page. Starting from September 2022, the note was changed to Royal.

The Royal ransomware can either fully or partially encrypt a file depending on its size and the ‘-ep’
parameter. The malware changes the extension of the encrypted files to ‘.royal’.

In November 2022, researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware. The DEV-0569 group carries out malvertising campaigns to spread links to a signed malware downloader posing as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

In December 2022, the US Department of Health and Human Services (HHS) warned healthcare organizations of Royal ransomware attacks.

BleepingComputer forum hosts a Royal Ransomware (.royal) Support Topic on this specific threat.

Last week, CERT-FR warned of an ongoing campaign targeting ESXi servers. Yesterday the Italian National Cyber Agency also warned of an ongoing massive ransomware campaign targeting VMware ESXi servers worldwide, including Italian systems. The attackers are attempting to exploit the CVE-2021–21974 vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ransomware)