Targeting VMware ESXi virtual machines, Royal Ransomware is another ransomware operation to add capabilities for encrypting Linux devices to its arsenal, targeting ESXi hypervisors. Will Thomas of the Equinix Threat Analysis Center (ETAC) uncovered the latest iteration of the Linux Royal Ransomware.
The operation known as Royal Ransomware was formed by experienced threat actors who had previously worked for the Conti ransomware crime organization. After being discovered for the first time in January 2022, Royal began to increase its malicious behavior starting in September.
They switched from using encryptors from other organizations, like BlackCat, to using their own, beginning with Zeon which became Royal, which produced ransom notes resembling those produced by Conti and files with the extension “.royal_u”. The U.S. Department of Health and Human Services (HHS) issued a warning in December about ransomware attacks using Royal Ransomware to target businesses in the Healthcare and Public Healthcare (HPH) sector.