The Royal ransomware group — which is made up of former members of the Conti gang — has ramped up operations since bursting on the scene last summer, mounting attacks against critical infrastructure and healthcare targets in particular. Most recently, it has expanded its arsenal to target Linux and VMware ESXi environments.

That's according to Palo Alto Networks' Unit 42 division, who noted in an analysis released May 9 that the group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary.

"[It] is quite similar to the Windows variant, and the sample does not contain any obfuscation," the researchers explained in the posting. "All strings, including the RSA public key and ransom note, are stored as plaintext."

[...] Other researchers previously determined that Royal is likely is made up mainly of former members of the Conti ransomware group — specifically, ex-members known as "Team One," according to Unit 42.

Conti, which was responsible for the Ryuk ransomware, famously disbanded last May when the gang's developers began shutting down admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to law enforcement and media attention. At the time, researchers noted that it would be likely that members would regroup under new guises — and that's exactly what appears to have occurred.