The Royal Menace Spreads to Linux: A Deep Dive into this New Ransomware

Royal Ransomware Expands to Linux Platforms, Targets ESXi Servers

Royal ransomware was first identified in early 2022 and was found to be targeting Windows machines. The Threat Actors (TAs) initially relied on third-party ransomware such as BlackCat and Zeon ransomware, but later in September 2022, they began using new and unique code.

By November 2022, Royal ransomware had become the most widespread ransomware in the wild, surpassing Lockbit as the top ransomware for the first time in over a year. Phishing was the most common technique used by the TAs to deliver the Royal ransomware payload.

Cyble Research & Intelligence Labs (CRIL) recently came across a Linux sample performing Ransomware activities. Upon analyzing the sample, we identified it as a Linux variant of Royal ransomware targeting ESXi servers.

This executable shows the entry of Royal ransomware in Linux platforms. The payload, after successful execution, was appending file extensions with “.royal_u” and dropping a ransom note with the name “readme.txt”.

The Manufacturing industry is the top target of the Royal ransomware, followed by Professional Services and Food & Beverages.

The below figure shows the industries targeted by Royal ransomware.

Figure 1 – Industries Targeted by Royal Ransomware

The United States nation most impacted by Royal ransomware, followed by Canada and Germany.

The figure below illustrates the geographical distribution of Royal ransomware infections worldwide.

Figure 2 – Geographical distribution of Royal Ransomware Infections

Technical Analysis

Static analysis of the sample with hash: b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4 shows that the malicious file is a 64-bit ELF binary compiled using GCC, as demonstrated in the following figure.

Figure 3 – Royal Ransomware Payload Static Information

Upon execution, the ransomware first performs a test of its encryption capabilities on the victim’s machine by calling the function test_encrypt. This function encrypts the string “test” and checks if the encryption was successful. If the test encryption fails, the ransomware will terminate itself.

The below figure shows the arguments that need to be provided with the ransomware binary to encrypt files on the victim’s machine.

Figure 4 – Arguments Required to Execute the Sample

The -id argument is a unique identifier used by the ransomware, and it must be 32 characters long. Otherwise, the ransomware will not run, as shown below.

Figure 5 – 32 Character Key is Required to Run the Payload

The “-ep” argument sets the number of threads to be created. This value must be in the range of 1 to 100. If the value is not within this range, the number of threads will be defaulted to 50, as shown below.

Figure 6 – Number of Worker Threads is Set

The stopvm argument is used to halt any virtual machines currently running on the ESXi server before the encryption process begins. If this argument is provided, the ransomware invokes the stop_vm() function to terminate the virtual machines using the following methods.

Initially, the ransomware retrieves information about the running virtual machines using the command “esxcli vm process list” and saves the output in a file called “list“, as shown below.

Figure 7 – Malware Gets the List of Running Virtual Machines

Afterward, the ransomware reads the “list” file and obtains the World-ID of the running virtual machines. Then, it terminates these virtual machines by executing the command esxcli vm process kill –type=hard –world-id=%s.

Figure 8 – Kills Running Virtual Machines

The malware checks for the presence of the argument -vmonly. If it is not found, it then checks for the argument -fork. If the argument -fork is detected, it sets the V17 variable to 1. If -fork is not present, the code then checks for the argument “-logs”. If this argument is detected, the logs::init() function is called, which logs the activities of the ransomware.

Figure 9 – Malware Checks for the Arguments

The ransomware now checks the value of the V17 variable. If set to 1, it invokes the fork() function to generate a child process for encryption.

This way, the child process takes care of encrypting the files in the virtual machine.

As a result, two child processes are generated and then detached from the parent process, as shown below. If the V17 variable is not set, then it only encrypts virtual machines.

Figure 10 – Generate Child Process for Encryption

After creating child processes, the ransomware employs multi-threading for its encryption using the threadpool library. It then calls the search_files() function to search for and enumerate the files in the virtual machine and encrypts them. It also excludes certain files and file extensions from the encryption process, as shown below.

Figure 11 – Exclude Particular Files from Encryption

While the malware searches and encrypts files, it also creates ransom notes in a parallel process. The figure below indicates the code snippet used by the malware to drop ransom notes.

Figure 12 – Dropping Ransom Note

The ransomware uses a combination of RSA and AES encryption algorithms for its encryption.

  1. The first step of the malware’s operation involves generating a 48-byte random number using the gen_random() function.
  2. The RSA public key, which is hardcoded in the malware file, is then used to encrypt the previously generated 48-byte random number, resulting in a 48-byte number that serves as the key for AES encryption.
  3. The contents of the file are encrypted using the AES algorithm and the RSA-generated key from step 2 as the AES key.
  4. The malware appends the RSA-generated key to the end of the encrypted file after the AES encryption process has been completed.
  5. After successful encryption, it appends the “royal_u” extension to the encrypted files.
Figure 13 – Malware Uses a Combination of RSA and AES Encryption Algorithm

The image below displays the ransom message, where the TAs instruct victims to visit their TOR website and follow the steps to access their encrypted information.

Figure 14 – Ransom Note

On the TOR website, the TAs ask the victims to share their email addresses and submit any questions they may have to receive further assistance.

Figure 15 – Royal Ransomware TOR Website


Recently, the threat actors behind Royal ransomware released a new version of their malware, specifically targeting VMWare ESXi servers due to their increasing popularity among organizations. This is not the first time various well-known and unknown threat actors have targeted Linux platforms for malicious purposes.

Cyble Research & Intelligence Labs is continuously monitoring the Royal ransomware campaign and will keep updating our readers with the latest information as and when we find it.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • It is strongly recommended that users and administrators of specific versions of VMware ESXi products update to the latest versions as soon as possible due to a vulnerability that affects these versions.
  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Install reputable anti-virus and Internet security software on all connected devices, including personal computers, laptops, and mobile phones.
  • Remove any infected devices connected to the same network and disconnect external storage devices if they are connected.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Command and Scripting Interpreter
PersistenceT1543Systemd Service
Defense EvasionT1036
System Information Discovery
File and Directory Discovery
Security Software Discovery
Command and ControlT1071
Application Layer Protocol
Encrypted Channel

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4SHA256Royal Ransomware Linux Executable
9874546fea08fee04b3271a6366ff6dd3ad6fae2SHA1Royal Ransomware Linux Executable
a9429fa4db9a5fe059896653a5d4d35cMD5Royal Ransomware Linux Executable
hxxp://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion/URLRoyal Ransomware Tor Website


Comments are closed.

Scroll to Top