logo_SVG-01
✕
  • Platform
    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    • Managed Security Services
    • Managed Penetration Testing
  • Services
    • Assess
      • Compromise Assessment
      • Advanced Persistent Threats Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      • SOC Maturity Assessment
      • SOC Model Evaluation
      • SOC Gap Analysis
      • SIEM Gap Analysis
      • SIEM Optimization
      • SOC Content Pack
    • Train
      • Simulated Cyber Attack Exercise
      • Tabletop Exercise
      • Security Awareness and Training
    • Respond
      • Incident Analysis
      • Incident Response
  • Solutions
  • Resources
    • Blogs
    • Press Releases
    • Threat Insights
      • Threat Intelligence Reports
      • Threat Advisories
      • Monthly Threat Insights
  • Why Rewterz?
    • About Us
    • Careers
    • Contact
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Rewterz Threat Alert – Royal Ransomware’s Linux Version Targeting VMware ESXi servers – Active IOCs

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 17, 2023
    March 17, 2023
    Rewterz Threat Alert – Chaos Ransomware – Active IOCs
    Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]
    March 17, 2023
    March 17, 2023
    Rewterz Threat Advisory – Multiple Adobe ColdFusion Vulnerabilities
    Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]
    March 17, 2023
    March 17, 2023
    Rewterz Threat Alert – Ursnif Banking Trojan aka Gozi – Active IOCs
    Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Rewterz Threat Alert – Royal Ransomware’s Linux Version Targeting VMware ESXi servers – Active IOCs

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 17, 2023
    March 17, 2023
    Rewterz Threat Alert – Chaos Ransomware – Active IOCs
    Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]
    March 17, 2023
    March 17, 2023
    Rewterz Threat Advisory – Multiple Adobe ColdFusion Vulnerabilities
    Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]
    March 17, 2023
    March 17, 2023
    Rewterz Threat Alert – Ursnif Banking Trojan aka Gozi – Active IOCs
    Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
Rewterz
Rewterz Threat Alert – Bitter APT Group – Active IOCs
February 24, 2023
Rewterz
Rewterz Threat Alert – Rhadamanthys Stealer – Active IOCs
February 24, 2023

Rewterz Threat Alert – Royal Ransomware’s Linux Version Targeting VMware ESXi servers – Active IOCs

February 24, 2023

Severity

High

Analysis Summary

Royal Ransomware, a new ransomware strain, is the latest malware to add encrypting capabilities to its variants, specifically targeting VMware ESXi virtual machines. It is a ransomware-as-a-service (RaaS) model, which is executed without parameters and starts encrypting all files in the / directory. The malware also comes with support for multiple flags that give the ransomware operators some control over the encryption process. Detection score on VirusTotal has increased as anti-malware solutions have started to detect the malware, and it is currently targeting organizations in the Healthcare and Public Healthcare (HPH) sectors.

The discovery of the new Linux Royal Ransomware variant by Will Thomas of the Equinix Threat Analysis Center (ETAC) highlights the importance of ongoing research and monitoring for new and emerging threats in the cybersecurity landscape. 

The new Linux Royal Ransomware variant has support for multiple flags that give attackers more control over the encryption process. The flags allow the attackers to target virtual machines specifically and stop them from running to encrypt the data. The purpose of the “fork” and “logs” flags is currently unknown. The “id” flag requires an identifier that must be 32 characters in length, but its purpose is also unknown at this time. The presence of these flags highlights the evolving nature of ransomware threats and the need for organizations to stay informed and implement strong cybersecurity measures to protect their systems and data.

  • stopvm > stops all running VMs
  • -vmonly – Only encrypt VMs
  • -fork & logs – unknown
  • -id: id must be 32 characters

The ransomware will append the .royal_u extension to all encrypted archives in the VM when encrypting them.

The threat actors behind Royal ransomware were previously involved in the Conti ransomware operation. The malicious actors behind Royal ransomware use a form of intermittent encryption tactic to speed their encryption process, which is executed using the command line and has support for multiple flags that give the ransomware operators some control over the encryption process. 

After emerging in January 2022, Royal ransomware is being distributed mainly by U.S. threat actors, primarily via malicious attachments and malicious advertisements. The strain is demanding ransom payments ranging from $250,000 to tens of millions of dollars after encrypting their targets’ enterprise network systems. Anti-malware solutions have started to detect the strain, but it is still being detected by 23 out of 62 malware scanning engines on VirusTotal.

Ransomware operators have found a new target in recent months – VMware’s ESXi virtual machines. With the increasing popularity of virtual machines among enterprises due to their improved device management capabilities and efficient resource handling, these groups have shifted their focus to VMs. After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers. This can be extremely damaging to businesses, as it can disrupt their operations and potentially cause major losses in terms of data and revenue.

ransom note: source

To prevent these attacks, organizations should ensure that their VMs are properly secured and updated with the latest security patches. VMs should also be monitored regularly to detect any suspicious activities or malicious code. Additionally, companies should implement a robust backup solution to ensure that if a ransomware attack is successful, they will still be able to recover their data. Finally, they should also use anti-ransomware solutions such as anti-malware software to protect themselves from these malicious threats.

Impact

  • File Encryption

Indicators of Compromise

MD5

  • 87adb14271dc49e6b0f2eb4b03f4bbe7

SHA-256

  • 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725

SHA-1

  • 76215e7047773dd05b8af8e96689b2fe7e7b2ffc

Remediation

  • Regular software updates: Keeping software up to date can help close security vulnerabilities that ransomware actors may exploit.
  • Backups: Regular backups of critical data can help organizations recover from a ransomware attack without paying the ransom.
  • Employee training: Educating employees about the dangers of phishing scams and the importance of good cyber hygiene can help prevent the spread of ransomware within an organization.
  • Network segmentation: Segmenting networks can limit the damage that ransomware can cause by restricting its spread within an organization.
  • Use of anti-virus and anti-malware software: Deploying and regularly updating anti-virus and anti-malware software can help detect and prevent the spread of ransomware.
  • Monitoring of network activity: Regular monitoring of network activity can help organizations detect suspicious activity, including ransomware attacks.
  • Restricting administrative privileges: Limiting administrative privileges to only those who need them can help prevent ransomware from executing on an infected system.
  • Patch and upgrade systems on a regular basis. It is critical to keep operating systems and apps up to date as well as patch management methods in place to dissuade malicious actors from exploiting any software vulnerabilities.
  • Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
  • VMs should also be monitored regularly to detect any suspicious activities or malicious code.
  • Enable multifactor authentication (MFA) to prevent lateral network movement by attackers.
  • Companies should implement a robust backup solution to ensure that if a ransomware attack is successful, they will still be able to recover their data.

It’s important to note that no single remediation measure can provide complete protection against ransomware, and organizations should implement a combination of measures to help defend against these types of attacks.

Platform

  • Rewterz XDR
  • Rewterz Defense
  • Rewterz Threat Intelligence

Managed Security Services

  • Managed Security Monitoring
  • Remote SOC
  • Onsite SOC
  • Hybrid SOC

Assess

  • Compromise Assessment
  • APT Assessment
  • Penetration Testing
  • Architecture Design & Review
  • Red Team Assessment
  • Purple Team Assessment
  • Social Engineering
  • Source Code Review

Transform

  • SOC Consultancy
  • SOC Maturity Assessment
  • SOC Model Evaluation
  • SOC Gap Analysis
  • SIEM Gap Analysis
  • SIEM Optimization
  • SOC Content Pack

Train

  • Simulated Cyber Attack Exercise
  • Tabletop Exercise
  • Security Awareness and Training

Respond

  • Incident Analysis
  • Incident Response

Threat Insights

  • Threat Advisories
  • Monthly Threat Insights
  • Threat Intelligence Reports

Resources

  • Blog
  • Press Releases

Connect With Us

  • Contact
  • Careers
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.
Get a Demo