Insights, news, education and announcements from PolySwarm

Royal Ransomware Linux Variant

Written by The Hivemind | Mar 3, 2023 6:25:10 PM

Verticals Targeted: IT, Financial, Materials, Healthcare, Food Production 

Executive Summary

Trend Micro recently reported on a new Linux variant of Royal ransomware that targets Linux systems and  ESXi servers. Royal ransomware is yet another contender among the many ransomware families now targeting Linux systems.

Key Takeaways

  • Industry researchers recently discovered a Linux variant of Royal ransomware.
  • The Linux variant of Royal creates multiple threads and uses intermittent encryption to speed up the encryption process. 
  • Files encrypted by the Linux variant of Royal are appended with the .royal_u extension.

What is the Royal Ransomware Linux Variant?

Trend Micro recently reported on a new Linux variant of Royal ransomware that targets Linux systems and  ESXi servers. The original Windows variant of Royal was first seen in the wild in September 2022. We reported on the Windows version of Royal in December 2022.

 

Trend Micro researchers assess the threat actors responsible for Royal were formerly affiliated with Conti Team One. Royal was one of the top three most prolific ransomware groups in late 2022. The verticals most heavily targeted by Royal include IT, finance, materials, healthcare, and food production. Targeted locations include North America, Europe, Latin America, Asia Pacific, Africa, and the Middle East. 

 

Royal ransomware is yet another contender among the many ransomware families now targeting Linux systems. The Linux variant of Royal is capable of encrypting victim files, terminating VM processes, and dropping a ransom note on the victim’s machine. It creates 32 byte characters to use as the victim’s ID. Royal creates multiple threads, depending on the number of processors on the infected system, increasing the speed of the encryption routine. Files encrypted by Royal Linux are appended with the .royal_u extension. It uses AES for encryption and employs intermittent encryption. If the file size is less than or equal to 5,245,000 bytes or the -ep value is 100, the whole file is encrypted. For files exceeding the specified number of bytes, encryption takes place over certain calculated blocks. This technique is used to speed up the encryption process. 

IOCs

PolySwarm has multiple samples of the Linux variant of Royal.

 

b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4

06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725

b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c

 

You can use the following CLI command to search for all Royal samples in our portal:

$ polyswarm link list -f Royal

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports