HQ/EMEAFind out how we can help your business
Linux devices could now be targeted by Royal ransomware after its operators created an upgrade that supports VMware ESXi virtual machines. This ransomware operation is the latest addition to the list of well-known ransomware encryptors that could target Linux, such as Black Basta, BlackMatter, REvil, LockBit, Hive, and RansomEXX.
The Royal ransomware variant for Linux could be executed by its operators through a command line.
Fortunately, the new Royal malware samples could now be detected by about 60 malware scanning solutions, unlike the previous version, where the anti-malware solutions had difficulties seeing the operation.
The Royal ransomware is a private operation organised by well-versed cybercriminals who previously worked for the Conti ransomware group.
According to investigations, the Royal ransomware group increased their attacks significantly after researchers identified their operation in September last year.
Researchers explained that Royal’s operators borrowed their encryptors from other operations like BlackCat when they first executed an attack. However, the group gradually transitioned to using their encryptors after employing personnel from the recently taken down Conti group.
In addition, the group rebranded as Royal and started spreading a new encryptor in their campaign that produces ransom notes with an identical name. This group typically asks for ransom payments that start from a quarter of a million to tens of millions after encrypting a targeted network system.
Cybersecurity experts noted that more and more ransomware strains have heavily targeted Linux operating systems in recent months. The recent uptick of ransomware attacks has prioritised targeting the ESXi virtual machines since it aligns well with a trend where the enterprise is adopting VMs.
The threat operators use a single command to encrypt many servers after deploying their payloads on ESXi hosts.
According to researchers, the sudden surge of ransomware attacks against these servers is caused by thousands of exposed VMware ESXi servers on the internet. These servers reached their end-of-life last October, which makes them vulnerable to threats.
Experts suggest that users who own end-of-life VMware ESXi servers should be cautious against attacks since many ransomware operators will try to exploit them.
