Royal Ransomware Expands to Target Linux, VMware ESXi

The ransomware gang has also started using the BatLoader dropper and SEO poisoning for initial access.

Tara Seals, Managing Editor, News

May 9, 2023

1 Min Read
watercolor art of crown

The Royal ransomware group — which is made up of former members of the Conti gang — has ramped up operations since bursting on the scene last summer, mounting attacks against critical infrastructure and healthcare targets in particular. Most recently, it has expanded its arsenal to target Linux and VMware ESXi environments.

That's according to Palo Alto Networks' Unit 42 division, who noted in an analysis released May 9 that the group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary.

"[It] is quite similar to the Windows variant, and the sample does not contain any obfuscation," the researchers explained in the posting. "All strings, including the RSA public key and ransom note, are stored as plaintext."

Linux runs the back-end systems of many networks and container-based solutions for Internet of Things devices and mission-critical applications, and as such, represents a plum attack surface for threat actors interested in disrupting critical operations.

VMware's ESXi platform meanwhile is an increasingly attractive target for ransomware attackers, with multiple ransomware campaigns targeting the virtualization platform in the past year alone. There's the added benefit of bang for the buck: A compromise of one ESXi hypervisor could open the door to all of the virtual machines (VMs) that it controls, without any additional work.

"Considering many ransomware families have an ESXi/Linux focused variant, this isn't unusual," Unit 42 researchers said. "It only makes sense that this group would...


Continue reading this article on Dark Reading

About the Author(s)

Tara Seals

Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like