Verticals Targeted: IT, Financial, Materials, Healthcare, Food Production
Trend Micro recently reported on a new Linux variant of Royal ransomware that targets Linux systems and ESXi servers. Royal ransomware is yet another contender among the many ransomware families now targeting Linux systems.
- Industry researchers recently discovered a Linux variant of Royal ransomware.
- The Linux variant of Royal creates multiple threads and uses intermittent encryption to speed up the encryption process.
- Files encrypted by the Linux variant of Royal are appended with the .royal_u extension.
What is the Royal Ransomware Linux Variant?
Trend Micro recently reported on a new Linux variant of Royal ransomware that targets Linux systems and ESXi servers. The original Windows variant of Royal was first seen in the wild in September 2022. We reported on the Windows version of Royal in December 2022.
Trend Micro researchers assess the threat actors responsible for Royal were formerly affiliated with Conti Team One. Royal was one of the top three most prolific ransomware groups in late 2022. The verticals most heavily targeted by Royal include IT, finance, materials, healthcare, and food production. Targeted locations include North America, Europe, Latin America, Asia Pacific, Africa, and the Middle East.
Royal ransomware is yet another contender among the many ransomware families now targeting Linux systems. The Linux variant of Royal is capable of encrypting victim files, terminating VM processes, and dropping a ransom note on the victim’s machine. It creates 32 byte characters to use as the victim’s ID. Royal creates multiple threads, depending on the number of processors on the infected system, increasing the speed of the encryption routine. Files encrypted by Royal Linux are appended with the .royal_u extension. It uses AES for encryption and employs intermittent encryption. If the file size is less than or equal to 5,245,000 bytes or the -ep value is 100, the whole file is encrypted. For files exceeding the specified number of bytes, encryption takes place over certain calculated blocks. This technique is used to speed up the encryption process.
PolySwarm has multiple samples of the Linux variant of Royal.
You can use the following CLI command to search for all Royal samples in our portal:
$ polyswarm link list -f Royal