{"id":50650,"date":"2023-02-20T00:00:00","date_gmt":"2023-02-20T00:00:00","guid":{"rendered":"urn:uuid:46460906-4e81-df2c-a547-601b08c37abc"},"modified":"2023-02-20T00:00:00","modified_gmt":"2023-02-20T00:00:00","slug":"royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/","title":{"rendered":"Royal Ransomware expands attacks by targeting Linux ESXi servers"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Royal-Ransomware-expands-attacks-by-targeting-Linux-ESXi-servers-641.png\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"articles, news, reports,ransomware,research\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-02-20\"> <meta property=\"article:tag\" content=\"ransomware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\"> <title>Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\"><br \/>\n<meta property=\"og:title\" content=\"Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers\"><br \/>\n<meta property=\"og:description\" content=\"Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Royal-Ransomware-expands-attacks-by-targeting-Linux-ESXi-servers-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers\"><br \/>\n<meta name=\"twitter:description\" content=\"Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Royal-Ransomware-expands-attacks-by-targeting-Linux-ESXi-servers-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.169016732469\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2108867222\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.8085106382979\">\n<div class=\"article-details\" role=\"heading\" readability=\"39.234042553191\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.<\/p>\n<p class=\"article-details__author-by\">By: Nathaniel Morales, Ivan Nicole Chavez, Byron Gelera <time class=\"article-details__date\">February 20, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"46.982869910626\">\n<div readability=\"40.686196623635\">\n<p><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/Ransomware\">Ransomware<\/a>&nbsp;actors have been observed to expand their targets by increasingly developing <a href=\"https:\/\/newsroom.trendmicro.com\/2022-08-31-Trend-Micro-Warns-of-75-Surge-in-Ransomware-Attacks-on-Linux-as-Systems-Adoptions-Soared\">Linux-based versions<\/a>. We predicted in September 2022 that ransomware groups will would increasingly target Linux servers and embedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these systems in the first half of 2022. In May 2021 we reported ransomware variants of <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/21\/e\/darkside-linux-vms-targeted.html\">DarkSide<\/a> and in May 2022 we found <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\">Cheerscrypt<\/a>, specifically targeting the ESXi servers, which are widely used for server virtualization by enterprises.<\/p>\n<p>Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog. Royal\u2019s Linux counterpart also targets ESXi servers, a target expansion which can create a big impact on victimized enterprise data centers and virtualized storage.<\/p>\n<p>Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\">Conti Team One<\/a>.<\/p>\n<p>Despite being detected only in September 2022, Royal ransomware was among the three most prolific ransomware groups in the fourth quarter last year. According to data from ransomware groups\u2019 leak sites, 10.7% were attributed to Royal, with only LockBit and BlackCat ahead of it, accounting for 22.3% and 11.7% respectively. Its threat actors being an offshoot from Conti may be the reason for its quick claim to fame as soon as it made headlines in the ransomware landscape.<\/p>\n<p>Upon examining the ransomware\u2019s attacks, we learned that it combines old and new techniques, which supports the theory that actors behind it have an extensive knowledge of the ransomware scene. In its early campaigns, Royal deployed BlackCat\u2019s encryptor, but later shifted to its own called Zeon, which dropped ransom notes similar to Conti\u2019s.&nbsp; Royal later rebranded and began using Royal in its ransom notes generated by its own encryptor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%201%20Royal.%20Ransom_Note%201.png\" alt=\"Ransom note of Royal ransomware\"><figcaption>Figure 1. Ransom note of Royal ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<p>Royal ransomware targeted small to medium-sized businesses in the fourth quarter of 2022: 51.9% of its victims were small business, while 26.8% were medium-sized. Only 11.3% of its victims for this period were large enterprises.<\/p>\n<p>Among its victims, the IT, finance, materials, healthcare, and food and staples industries were its top targets. Threat actors behind Royal focused on targets in North America during the last quarter of 2022, which accounted for three-quarters of its victims in that time period. Royal also targeted enterprises in Europe, Latin America, Asia Pacific, Africa, and the Middle East.<\/p>\n<p>In our analysis, we found that Royal ransomware accepts the following command-line arguments:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>&nbsp;<\/caption>\n<tbody readability=\"6.5\">\n<tr>\n<td><b>Argument<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>-id {32-byte characters}<\/td>\n<td>Will be used as the victim\u2019s ID, which will be appended on the TOR link found in the dropped ransom note. The process exits if not provided, or if the provided characters are not 32 bytes long<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-ep<\/td>\n<td>Used for full or partial encryption of file routine&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-stopvm<\/td>\n<td>Used to terminate VM processes via EXSCLi<\/td>\n<\/tr>\n<tr>\n<td>-vmonly<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-fork<\/td>\n<td>For creation of fork process<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-logs<\/td>\n<td>Display logs of encrypted files<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. Royal ransomware arguments and description<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"154082\" data-modal-title=\"Figure 2. Accepted arguments by Royal ransomware\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%202%20Royal.%20Accepted%20arguments%202.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%202%20Royal.%20Accepted%20arguments%202.png\" alt=\"Accepted arguments by Royal ransomware\"> <\/a><figcaption>Figure 2. Accepted arguments by Royal ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"30.196078431373\">\n<div readability=\"10.065359477124\">\n<p>The \u201c-id\u201d parameter, like Royal ransomware\u2019s <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\">Win32 variant<\/a>, requires 32-byte characters in order to proceed, and will be used as the Victim\u2019s ID.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%203%20Royal.%20Royal%20ransomware%20checks%20id%20parameter%203.png\" alt=\"Royal ransomware checks -id parameter length if equal to 32 bytes\"><figcaption>Figure 3. Royal ransomware checks -id parameter length if equal to 32 bytes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The \u201c-path\u201d argument from earlier Royal ransomware Win32 variants was removed in the Linux variant, but the file path argument is still required in order to execute the ransomware. It designates the first argument to be used as the file path to be encrypted.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%204a%20Royal.%20Royal%20rnasomware%20sets%20the%20file%20path%204.png\" alt=\"Royal ransomware sets the file path as first argument to be accepted and used for search_files function\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"c591cd\" data-modal-title=\"Figure 4. Royal ransomware sets the file path as first argument to be accepted and used for search_files function\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%204b%20Royal.%20Royal%20ransomware%20sets%20the%20file%20path%204.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%204b%20Royal.%20Royal%20ransomware%20sets%20the%20file%20path%204.png\" alt=\"Royal ransomware sets the file path as first argument to be accepted and used for search_files function\"> <\/a><figcaption>Figure 4. Royal ransomware sets the file path as first argument to be accepted and used for search_files function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Inside the \u201cstop_vm\u201d function, Royal ransomware implements the following command to terminate VM processes using ESXCLI.<\/p>\n<p><i><span class=\"blockquote\">esxcli vm process kill \u2013type=hard \u2013world-id={ }<\/span><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%205%20Royal.%20Terminating%20VM%20processes%205.png\" alt=\"Terminating VM processes via ESXCLI\"><figcaption>Figure 5. Terminating VM processes via ESXCLI<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Royal ransomware then creates a specified number of threads depending on the number of processors of the infected machine. It determines the number of processors by using the <i>sysconf(84)<\/i> function, multiplying it by 8 to determine the number of threads to be created.&nbsp; By doing so, it significantly increases the speed of the \u201cthread_func\u201d function where it contains the encryption routine of the ransomware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%206%20Royal.%20Function%20used%20to%206.png\" alt=\"The Royal ransomware function used to determine number of threads to be created\"><figcaption>Figure 6. The Royal ransomware function used to determine number of threads to be created<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>For the \u201csearch_files\u201d function, Royal ransomware uses the \u201copendir\u201d function to open a specified directory. It then drops the ransom note \u201creadme\u201d to the directory and then calls the \u201creaddir\u201d function in a loop to read all entries inside the directory. It then checks the type of the entry if it\u2019s a directory (d_type == 4) or a file (d_type == 8). If it\u2019s a directory, it recursively calls the \u201csearch_files\u201d function on the entry.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%207%20Royal.%20search_files%20function%207.png\" alt=\"The Royal ransomware search_files function\"><figcaption>Figure 7. The Royal ransomware search_files function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.632258064516\">\n<div readability=\"20.796774193548\">\n<p>If the entry is a regular file, it checks the filename and avoids encrypting the following files with the following names\/extensions:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">.royal_u<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.royal_w<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.sf<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.v00<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.b00<\/span><\/li>\n<li><span class=\"rte-red-bullet\">royal_log_<\/span><\/li>\n<li><span class=\"rte-red-bullet\">readme<\/span><\/li>\n<\/ul>\n<p>One of the excluded extensions, \u201c.royal_w\u201d, is the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99\/detection\" target=\"_blank\" rel=\"noopener\">latest<\/a> appended extension of the Royal ransomware. We assume that the \u201croyal_w\u201d and \u201croyal_u\u201d are used by threat actors to differentiate encrypted files by their Windows variant (royal_w) and Linux variants (royal_u), where u possibly stands for Unix.<\/p>\n<p>As in Royal ransomware\u2019s Win32 variant, it also uses OpenSSL\u2019s Advanced Encryption Standard (AES) for its encryption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%208%20Royal.%20RSA%20Public%20Key%208.png\" alt=\"The Royal ransomware RSA Public Key is hardcoded in the binary\"><figcaption>Figure 8. The Royal ransomware RSA Public Key is hardcoded in the binary<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%209%20Royal.%20function%20containing%20the%20encryption%209.png\" alt=\"Royal ransomware function containing the encryption routine\"><figcaption>Figure 9. Royal ransomware function containing the encryption routine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Royal ransomware threat actors also implement intermittent encryption. Using the -ep parameter, it accepts integers from 0 to 100; if the integer exceeds 100 or is below or equal to 0, it sets the value to 50 and will be used as a parameter for intermittent encryption.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2010%20Royal.%20function%20which%20checks%2010.png\" alt=\"Royal ransomware function which checks the parameter used for -ep argument\"><figcaption>Figure 10. Royal ransomware function which checks the parameter used for -ep argument<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Royal ransomware then generates the AES key and IV using the following function, then encrypts it using RSA encryption. The encrypted AES and IV key will also be appended to each of the encrypted files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2011%20Royal.%20Generation%20of%20AES%20Key%2011.png\" alt=\"Generation of AES Key and IV of Royal ransomware\"><figcaption>Figure 11. Generation of AES Key and IV of Royal ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>If the RSA encryption is successful, it then rounds up the file to multiples of 16, which is required in AES encryption.&nbsp;&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2012%20Royal.%20rounds%20up%20the%20file%20size%2012.png\" alt=\"Royal ransomware rounds up the file size to multiples of 16\"><figcaption>Figure 12. Royal ransomware rounds up the file size to multiples of 16<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>For the rounded-up files, Royal ransomware then checks if the size is less than or equal to 5,245,000 bytes or if the value set on -ep is 100. If one of the conditions is met, it will encrypt the whole file. For files greater than 5,245,000 bytes, the encryption will take place per certain calculated blocks where it will encrypt the first N bytes, then skip the next N bytes, and repeats the process.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2013a%20Royal.%20checks%20the%20file%20size%2013.png\" alt=\"Royal ransomware checks the file size if it meets specific conditions before encrypting\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2013b%20Royal.%20checks%20the%20file%20size%20conditions%2013.png\" alt=\"Royal ransomware checks the file size if it meets specific conditions before encrypting\"><figcaption>Figure 13. Royal ransomware checks the file size if it meets specific conditions before encrypting<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2014%20Royal.%20The%20calculation%20of%20N%2014.png\" alt=\"The calculation of N bytes used for intermittent encryption used by Royal ransomware\"><figcaption>Figure 14. The calculation of N bytes used for intermittent encryption used by Royal ransomware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The calculation of N bytes is as follows:&nbsp;<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"1\">\n<tr readability=\"2\">\n<td>N = (X\/10) * (Original File Size \/ 100) then rounded down to multiples of 16<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>*where X is the value set to -ep<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>If the calculated N is greater than 1,024,000, it will encrypt 1,024,000 block instead.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2015%20Royal.%20checks%20the%20file%20size%20if%2015.png\" alt=\"Royal ransomware checks the file size if it is less than 1,024,000 bytes\"><figcaption>Figure 15. Royal ransomware checks the file size if it is less than 1,024,000 bytes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The intermittent encryption technique on the Linux variant shares great similarity to the encryption done by Royal ransomware\u2019s Win32 variant, which aims to make the encryption faster.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2016%20Royal.%20encryption%20routine%2016.png\" alt=\"Royal ransomware\u2019s encryption routine\"><figcaption>Figure 16. Royal ransomware\u2019s encryption routine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Lastly, Royal ransomware appends the \u201croyal_u\u201d file extension for the encrypted files and drops its ransom note into the directory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Fig%2017%20Royal.%20encrypted%20files%2017.png\" alt=\"Some of Royal ransomware\u2019s encrypted files, with the accompanying ransom note\"><figcaption>Figure 17. Some of Royal ransomware\u2019s encrypted files, with the accompanying ransom note<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.721069019201\">\n<div readability=\"23.526725480021\">\n<p>This new variant of the Royal ransomware expands their attacks to target ESXi servers, causing great damage to their victims. As the threat actors behind Royal are believed to be seasoned cybercriminals from Conti, they are equipped with an arsenal of knowledge of the ransomware scene which can prove to be a great risk to enterprises as we expect to see more activity from the ransomware group in the future. Royal ransomware can be expected to develop new variants for wider impact.<\/p>\n<p>To protect systems from ransomware attacks, we recommend that both individual users and organizations implement best practices such as applying data protection, backup, and recovery measures to secure data from possible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely manner can also minimize the damage dealt by ransomware that abuses exploits.<\/p>\n<p>We advise users and organizations to update their systems with the latest patches and apply multi-layered defense mechanisms. End users and enterprises alike can mitigate the risk of infection from new threats like Royal ransomware by following these security best practices:&nbsp;<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Enable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Adhere to&nbsp;<a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/virtualization-and-cloud\/best-practices-backing-up-data\">the 3-2-1 rule<\/a>&nbsp;when backing up important files. This involves creating three backup copies on two different file formats, with one of the copies stored in a separate location.&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/vulnerabilities-and-exploits\/virtual-patching-patch-those-vulnerabilities-before-they-can-be-exploited\">Patch and update systems<\/a>&nbsp;regularly. It\u2019s important to keep operating systems and applications up to date and maintain patch management protocols that can deter malicious actors from exploiting any software vulnerabilities.<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"4\">\n<tr>\n<td><b>SHA256<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c<\/td>\n<td>Ransom.Linux.ROYAL.THBOBBC<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725<\/td>\n<td>Ransom.Linux.ROYAL.THBOBBC<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":50651,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9539,9509],"class_list":["post-50650","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Royal Ransomware expands attacks by targeting Linux ESXi servers 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Royal Ransomware expands attacks by targeting Linux ESXi servers 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-20T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Royal-Ransomware-expands-attacks-by-targeting-Linux-ESXi-servers-641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Royal Ransomware expands attacks by targeting Linux ESXi servers\",\"datePublished\":\"2023-02-20T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/\"},\"wordCount\":1668,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/\",\"name\":\"Royal Ransomware expands attacks by targeting Linux ESXi servers 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png\",\"datePublished\":\"2023-02-20T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png\",\"width\":1101,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Royal Ransomware expands attacks by targeting Linux ESXi servers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Royal Ransomware expands attacks by targeting Linux ESXi servers 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/","og_locale":"en_US","og_type":"article","og_title":"Royal Ransomware expands attacks by targeting Linux ESXi servers 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-20T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/Royal-Ransomware-expands-attacks-by-targeting-Linux-ESXi-servers-641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Royal Ransomware expands attacks by targeting Linux ESXi servers","datePublished":"2023-02-20T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/"},"wordCount":1668,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/","url":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/","name":"Royal Ransomware expands attacks by targeting Linux ESXi servers 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png","datePublished":"2023-02-20T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.png","width":1101,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Royal Ransomware expands attacks by targeting Linux ESXi servers"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50650"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50650\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50651"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}