"Royal Ransomware Adds Support for Encrypting Linux, VMWare ESXi Systems"

The Royal Ransomware group has now added support for encrypting Linux devices and targeting VMWare ESXi virtual machines. Other ransomware operators, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, LockBit, Luna, Nevada, RansomEXX, and REvil, already support Linux encryption. Will Thomas, a researcher at the Equinix Threat Analysis Center (ETAC), found the Linux variant of the Royal Ransomware. The variant appends the .royal_u extension to all encrypted filenames on the virtual machine. The ransomware variant has a 32 out of 63 detection rate, according to VirusTotal query results. According to Thomas, the malware is executed through the command line and supports several parameters for controlling encryption activities. Royal Ransomware is a human-operated threat that emerged in September 2022. It has demanded ransoms of up to millions of dollars. Unlike other ransomware operations, it does not appear to offer Ransomware-as-a-Service (RaaS). Instead, it appears to be a private group with no affiliates. This article continues to discuss Royal Ransomware operators adding support for encrypting Linux devices. 

Security Affairs reports "Royal Ransomware Adds Support for Encrypting Linux, VMWare ESXi Systems"