Royal Ransomware Expands to Linux Platforms, Targets ESXi Servers
Royal ransomware was first identified in early 2022 and was found to be targeting Windows machines. The Threat Actors (TAs) initially relied on third-party ransomware such as BlackCat and Zeon ransomware, but later in September 2022, they began using new and unique code.
By November 2022, Royal ransomware had become the most widespread ransomware in the wild, surpassing Lockbit as the top ransomware for the first time in over a year. Phishing was the most common technique used by the TAs to deliver the Royal ransomware payload.
Cyble Research & Intelligence Labs (CRIL) recently came across a Linux sample performing Ransomware activities. Upon analyzing the sample, we identified it as a Linux variant of Royal ransomware targeting ESXi servers.
This executable shows the entry of Royal ransomware in Linux platforms. The payload, after successful execution, was appending file extensions with “.royal_u” and dropping a ransom note with the name “readme.txt”.
The Manufacturing industry is the top target of the Royal ransomware, followed by Professional Services and Food & Beverages.
The below figure shows the industries targeted by Royal ransomware.

The United States nation most impacted by Royal ransomware, followed by Canada and Germany.
The figure below illustrates the geographical distribution of Royal ransomware infections worldwide.

Technical Analysis
Static analysis of the sample with hash: b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4 shows that the malicious file is a 64-bit ELF binary compiled using GCC, as demonstrated in the following figure.

Upon execution, the ransomware first performs a test of its encryption capabilities on the victim’s machine by calling the function test_encrypt. This function encrypts the string “test” and checks if the encryption was successful. If the test encryption fails, the ransomware will terminate itself.
The below figure shows the arguments that need to be provided with the ransomware binary to encrypt files on the victim’s machine.

The -id argument is a unique identifier used by the ransomware, and it must be 32 characters long. Otherwise, the ransomware will not run, as shown below.

The “-ep” argument sets the number of threads to be created. This value must be in the range of 1 to 100. If the value is not within this range, the number of threads will be defaulted to 50, as shown below.

The stopvm argument is used to halt any virtual machines currently running on the ESXi server before the encryption process begins. If this argument is provided, the ransomware invokes the stop_vm() function to terminate the virtual machines using the following methods.
Initially, the ransomware retrieves information about the running virtual machines using the command “esxcli vm process list” and saves the output in a file called “list“, as shown below.

Afterward, the ransomware reads the “list” file and obtains the World-ID of the running virtual machines. Then, it terminates these virtual machines by executing the command esxcli vm process kill –type=hard –world-id=%s.

The malware checks for the presence of the argument -vmonly. If it is not found, it then checks for the argument -fork. If the argument -fork is detected, it sets the V17 variable to 1. If -fork is not present, the code then checks for the argument “-logs”. If this argument is detected, the logs::init() function is called, which logs the activities of the ransomware.

The ransomware now checks the value of the V17 variable. If set to 1, it invokes the fork() function to generate a child process for encryption.
This way, the child process takes care of encrypting the files in the virtual machine.
As a result, two child processes are generated and then detached from the parent process, as shown below. If the V17 variable is not set, then it only encrypts virtual machines.

After creating child processes, the ransomware employs multi-threading for its encryption using the threadpool library. It then calls the search_files() function to search for and enumerate the files in the virtual machine and encrypts them. It also excludes certain files and file extensions from the encryption process, as shown below.

While the malware searches and encrypts files, it also creates ransom notes in a parallel process. The figure below indicates the code snippet used by the malware to drop ransom notes.

The ransomware uses a combination of RSA and AES encryption algorithms for its encryption.
- The first step of the malware’s operation involves generating a 48-byte random number using the gen_random() function.
- The RSA public key, which is hardcoded in the malware file, is then used to encrypt the previously generated 48-byte random number, resulting in a 48-byte number that serves as the key for AES encryption.
- The contents of the file are encrypted using the AES algorithm and the RSA-generated key from step 2 as the AES key.
- The malware appends the RSA-generated key to the end of the encrypted file after the AES encryption process has been completed.
- After successful encryption, it appends the “royal_u” extension to the encrypted files.

The image below displays the ransom message, where the TAs instruct victims to visit their TOR website and follow the steps to access their encrypted information.

On the TOR website, the TAs ask the victims to share their email addresses and submit any questions they may have to receive further assistance.

Conclusion
Recently, the threat actors behind Royal ransomware released a new version of their malware, specifically targeting VMWare ESXi servers due to their increasing popularity among organizations. This is not the first time various well-known and unknown threat actors have targeted Linux platforms for malicious purposes.
Cyble Research & Intelligence Labs is continuously monitoring the Royal ransomware campaign and will keep updating our readers with the latest information as and when we find it.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- It is strongly recommended that users and administrators of specific versions of VMware ESXi products update to the latest versions as soon as possible due to a vulnerability that affects these versions.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Install reputable anti-virus and Internet security software on all connected devices, including personal computers, laptops, and mobile phones.
- Remove any infected devices connected to the same network and disconnect external storage devices if they are connected.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Execution | T1059 T1064 | Command and Scripting Interpreter Scripting |
Persistence | T1543 | Systemd Service |
Defense Evasion | T1036 T1064 | Masquerading Scripting |
Discovery | T1082 T1083 T1518 | System Information Discovery File and Directory Discovery Security Software Discovery |
Command and Control | T1071 T1090 T1573 | Application Layer Protocol Proxy Encrypted Channel |
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Description |
b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4 | SHA256 | Royal Ransomware Linux Executable |
9874546fea08fee04b3271a6366ff6dd3ad6fae2 | SHA1 | Royal Ransomware Linux Executable |
a9429fa4db9a5fe059896653a5d4d35c | MD5 | Royal Ransomware Linux Executable |
hxxp://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[.]onion/ | URL | Royal Ransomware Tor Website |
Comments are closed.