Linux version of Royal Ransomware targets VMware ESXi servers

Royal Ransomware

Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.

BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.

It also comes with support for multiple flags that will give the ransomware operators some control over the encryption process:

  • -stopvm > stops all running VMs so they can be encrypted
  • -vmonly – Only encrypt virtual machines
  • -fork – unknown
  • -logs – unknown
  • -id: id must be 32 characters

When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.

While anti-malware solutions had issues detecting Royal Ransomware samples that bundle the new targeting capabilities, they’re now detected by 23 out of 62 malware scanning engines on VirusTotal.

Royal_Ransomware_ESXi_detections_VTDetection score on VirusTotal

​Who is Royal Ransomware?

Royal Ransomware is a private operation comprised of seasoned threat actors who previously worked with the Conti ransomware operation

Starting in September, Royal ramped up malicious activities months after first being spotted in January 2022.

While they initially utilized encryptors from other operations, such as BlackCat, they transitioned to using their own, starting with Zeon which dropped ransom notes similar to those generated by Conti.

In mid-September, the group rebranded as “Royal” and began deploying a new encryptor in attacks that produces ransom notes with the same name. 

The gang demands ransom payments ranging from $250,000 to tens of millions after encrypting their targets’ enterprise network systems. 

In December, the U.S. Department of Health and Human Services (HHS) warned of Royal ransomware attacks targeting organizations in the Healthcare and Public Healthcare (HPH) sector.

Royal ransomware submissionsRoyal ransomware submissions (ID Ransomware)

​Most ransomware strains now also target Linux

The ransomware groups’ shift towards targeting ESXi virtual machines aligns with a trend where enterprises have transitioned to VMs as they come with improved device management and much more efficient resource handling. 

After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers.

“The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically,” Wosar told BleepingComputer last year.

You can find more info on Royal Ransomware and what to do if you get hit in this support topic on the BleepingComputer forum.

Tens of thousands of VMware ESXi servers exposed on the Internet reached their end-of-life in October, according to a Lansweeper report.

These systems will only receive technical support from now on but no security updates, which exposes them to ransomware attacks.

To put things in perspective and show just how exposed to attacks such servers are, a new ransomware strain known as ESXiArgs was used to scan for and encrypt unpatched servers in a massive campaign targeting ESXi devices worldwide this Friday.

Within just a few hours, over 100 servers worldwide were compromised in these attacks, according to a Shodan search.


  • Mike_Walsh Photo Mike_Walsh – 18 hours ago

    <p>Always the same old, boring stuff. Always the same targets. Don&#39;t these people HAVE any imagination? (Of course, in the same breath that COULD be taken to show that Linux has very few, genuine targets that these idiots can actually do anything with…..) (*shrug*)</p>

  • NoneRain Photo NoneRain – 4 hours ago

    Imagination? There’s plenty. The thing is, most targeted attacks try to breach the weaker side: users, and then expand laterally.
    You can’t breach a host or their VM’s if you can’t see them in the first place. That said, there are many scans looking for vuls/misconfigured systems facing the internet, generally focusing on widely used applications.
    Linux is vulnerable as any system can be, but some so-called “Linux sysadmins” ignore the infinite facets of exploitation that exists in all systems delivering services.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.21 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,157 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 52,757 Downloads


Related posts

SonicWall warns web content filtering is broken on Windows 11 22H2

Sarah Henriquez

BlackByte ransomware gang is back with new extortion tactics

Sarah Henriquez

Hackers exploit critical Zyxel firewall flaw in ongoing attacks

Sarah Henriquez

Leave a Comment