Royal Ransomware Expands to Target Linux, VMware ESXi:
The Royal ransomware group — which is made up of former members of the Conti gang — has ramped up operations since bursting on the scene last summer, mounting attacks against critical infrastructure and healthcare targets in particular. Most recently, it has expanded its arsenal to target Linux and VMware ESXi environments.
That's according to Palo Alto Networks' Unit 42 division, who noted in an analysis released May 9 that the group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary.
"[It] is quite similar to the Windows variant, and the sample does not contain any obfuscation," the researchers explained in the posting. "All strings, including the RSA public key and ransom note, are stored as plaintext."
[...] Other researchers previously determined that Royal is likely is made up mainly of former members of the Conti ransomware group — specifically, ex-members known as "Team One," according to Unit 42.
Conti, which was responsible for the Ryuk ransomware, famously disbanded last May when the gang's developers began shutting down admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to law enforcement and media attention. At the time, researchers noted that it would be likely that members would regroup under new guises — and that's exactly what appears to have occurred.
[...] Most of the organizations impacted by Royal are in the US and Canada, making up 73% of the attacks, according to Unit 42.
[...] "The Unit 42 team has observed this group compromising victims through a BatLoader infection, which threat actors usually spread through search engine optimization (SEO) poisoning," according to the posting. "This infection involves dropping a Cobalt Strike beacon as a precursor to the ransomware execution."
Royal is notable for bucking the trend towards using a ransomware-as-a-service (RaaS) model as Conti did — i.e., rather than partnering with affiliates to carry out the attacks in exchange for a profit share, Royal operates as a private group, doing its own dirty work.
That said, the use of BatLoader might indicate that Royal might be forging partnerships to achieve initial access at targeted organizations.
The same infection routine using BatLoader and SEO poisoning (aka malvertising) was previously seen in November — but in that case, the dropper was seen being used to ultimately deliver a range of end-stage malware, not just ransomware, suggesting that its operators offer the tool to a variety of threat actors.
