Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


VMware ESXi Servers Targeted by Linux Variant of Royal Ransomware

Targeting VMware ESXi virtual machines, Royal Ransomware is another ransomware operation to add capabilities for encrypting Linux devices to its arsenal, targeting ESXi hypervisors. Will Thomas of the Equinix Threat Analysis Center (ETAC) uncovered the latest iteration of the Linux Royal Ransomware.

The operation known as Royal Ransomware was formed by experienced threat actors who had previously worked for the Conti ransomware crime organization. After being discovered for the first time in January 2022, Royal began to increase its malicious behavior starting in September.
They switched from using encryptors from other organizations, like BlackCat, to using their own, beginning with Zeon which became Royal, which produced ransom notes resembling those produced by Conti and files with the extension “.royal_u”. The U.S. Department of Health and Human Services (HHS) issued a warning in December about ransomware attacks using Royal Ransomware to target businesses in the Healthcare and Public Healthcare (HPH) sector.

Analyst Notes

Hypervisors like ESXi continue to become more ubiquitous due to the power and convenience of managing virtual machines rather than physical ones. Unfortunately, that power and convenience also attract threat actors. The compromise of a hypervisor also implies the compromise of every virtual machine housed within. In a single stroke, dozens to hundreds of critical virtual machines could be encrypted and held for ransom.

ESXi servers are particularly vulnerable, inciting the recent trend of ransomware operations to focus on specific unpatched vulnerabilities. Tens of thousands of VMware ESXi servers exposed on the Internet reached their end-of-life in October, according to a Lansweeper report. These systems will only receive technical support from now on but no security updates, which exposes them to ransomware attacks.
Binary Defense strongly recommends that any hypervisor of any kind should not be accessible from the internet. A Shodan search uncovered over 100 ESXi servers compromised worldwide in the past few days in the wake of the ESXiArgs campaign abusing a vulnerability found in ESXi. Binary Defense also strongly recommends maintaining a frequent patch cycle for ESXi servers to help keep important systems from the clutches of attackers.