Rewterz Threat Alert – Royal Ransomware’s Linux Version Targeting VMware ESXi servers – Active IOCs

Severity

High

Analysis Summary

Royal Ransomware, a new ransomware strain, is the latest malware to add encrypting capabilities to its variants, specifically targeting VMware ESXi virtual machines. It is a ransomware-as-a-service (RaaS) model, which is executed without parameters and starts encrypting all files in the / directory. The malware also comes with support for multiple flags that give the ransomware operators some control over the encryption process. Detection score on VirusTotal has increased as anti-malware solutions have started to detect the malware, and it is currently targeting organizations in the Healthcare and Public Healthcare (HPH) sectors.

The discovery of the new Linux Royal Ransomware variant by Will Thomas of the Equinix Threat Analysis Center (ETAC) highlights the importance of ongoing research and monitoring for new and emerging threats in the cybersecurity landscape. 

The new Linux Royal Ransomware variant has support for multiple flags that give attackers more control over the encryption process. The flags allow the attackers to target virtual machines specifically and stop them from running to encrypt the data. The purpose of the “fork” and “logs” flags is currently unknown. The “id” flag requires an identifier that must be 32 characters in length, but its purpose is also unknown at this time. The presence of these flags highlights the evolving nature of ransomware threats and the need for organizations to stay informed and implement strong cybersecurity measures to protect their systems and data.

• stopvm > stops all running VMs
• -vmonly – Only encrypt VMs
• -fork & logs – unknown
• -id: id must be 32 characters

The ransomware will append the .royal_u extension to all encrypted archives in the VM when encrypting them.

The threat actors behind Royal ransomware were previously involved in the Conti ransomware operation. The malicious actors behind Royal ransomware use a form of intermittent encryption tactic to speed their encryption process, which is executed using the command line and has support for multiple flags that give the ransomware operators some control over the encryption process. 

After emerging in January 2022, Royal ransomware is being distributed mainly by U.S. threat actors, primarily via malicious attachments and malicious advertisements. The strain is demanding ransom payments ranging from $250,000 to tens of millions of dollars after encrypting their targets’ enterprise network systems. Anti-malware solutions have started to detect the strain, but it is still being detected by 23 out of 62 malware scanning engines on VirusTotal.

Ransomware operators have found a new target in recent months – VMware’s ESXi virtual machines. With the increasing popularity of virtual machines among enterprises due to their improved device management capabilities and efficient resource handling, these groups have shifted their focus to VMs. After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers. This can be extremely damaging to businesses, as it can disrupt their operations and potentially cause major losses in terms of data and revenue.

ransom note: source

To prevent these attacks, organizations should ensure that their VMs are properly secured and updated with the latest security patches. VMs should also be monitored regularly to detect any suspicious activities or malicious code. Additionally, companies should implement a robust backup solution to ensure that if a ransomware attack is successful, they will still be able to recover their data. Finally, they should also use anti-ransomware solutions such as anti-malware software to protect themselves from these malicious threats.

Impact

• File Encryption

Indicators of Compromise

MD5

• 87adb14271dc49e6b0f2eb4b03f4bbe7

SHA-256

• 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725

SHA-1

• 76215e7047773dd05b8af8e96689b2fe7e7b2ffc

Remediation

• Regular software updates: Keeping software up to date can help close security vulnerabilities that ransomware actors may exploit.
• Backups: Regular backups of critical data can help organizations recover from a ransomware attack without paying the ransom.
• Employee training: Educating employees about the dangers of phishing scams and the importance of good cyber hygiene can help prevent the spread of ransomware within an organization.
• Network segmentation: Segmenting networks can limit the damage that ransomware can cause by restricting its spread within an organization.
• Use of anti-virus and anti-malware software: Deploying and regularly updating anti-virus and anti-malware software can help detect and prevent the spread of ransomware.
• Monitoring of network activity: Regular monitoring of network activity can help organizations detect suspicious activity, including ransomware attacks.
• Restricting administrative privileges: Limiting administrative privileges to only those who need them can help prevent ransomware from executing on an infected system.
• Patch and upgrade systems on a regular basis. It is critical to keep operating systems and apps up to date as well as patch management methods in place to dissuade malicious actors from exploiting any software vulnerabilities.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• VMs should also be monitored regularly to detect any suspicious activities or malicious code.
• Enable multifactor authentication (MFA) to prevent lateral network movement by attackers.
• Companies should implement a robust backup solution to ensure that if a ransomware attack is successful, they will still be able to recover their data.

It’s important to note that no single remediation measure can provide complete protection against ransomware, and organizations should implement a combination of measures to help defend against these types of attacks.