Royal ransomware has expanded its targets to Linux-based ESXi servers, introducing a Linux variant that encrypts files on virtualization hosts. The analysis outlines how the Linux variant uses ESXi tooling and traditional encryption (AES/RSA) to disrupt data centers, reflecting the threat actors’ Conti lineage. #RoyalRansomware #ESXi
Keypoints
- Royal ransomware expanded to Linux ESXi servers with a dedicated Linux variant capable of encrypting files on the host.
- The Linux variant is linked to Conti-era actors and shows lineage from Royal’s Windows variant, including rebranding of ransom notes.
- It accepts specific command-line arguments (-id, -ep, -stopvm, -vmonly, -fork, -logs) to control its behavior during infection.
- It uses ESXCLI to terminate VM processes, illustrating direct manipulation of virtualization infrastructure.
- The malware performs file discovery with opendir/readdir, recursively scanning directories to encrypt eligible files while excluding certain targets.
- Encryption combines AES (OpenSSL) and RSA, appending the encrypted AES key/IV to each file and adding the “royal_u” extension to encrypted files.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Royal Linux variant uses command-line arguments and ESXCLI to perform actions, e.g. “esxcli vm process kill –type=hard –world-id={ }”.
- [T1083] File and Directory Discovery – It opens directories with opendir, reads entries with readdir in a loop, and recursively processes subdirectories to locate files for encryption.
- [T1486] Data Encrypted for Impact – The ransomware encrypts files using AES (OpenSSL) and RSA, appending the encrypted AES/IV to each file and renaming with a specific extension.
- [T1499] Endpoint Denial of Service – By terminating VM processes via ESXCLI, it disrupts virtualization and impacts availability of hosted VMs.
Indicators of Compromise
- [SHA256] – b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c
- [SHA256] – 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725