{
	"id": "ef732bed-8deb-4aa5-8acc-3efb37db8d91",
	"created_at": "2026-04-06T00:15:40.991961Z",
	"updated_at": "2026-04-10T13:11:24.042676Z",
	"deleted_at": null,
	"sha1_hash": "7401615324ad095d4e72f7c09893d1784b9a87db",
	"title": "Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 606226,
	"plain_text": "Royal Ransomware Expands Attacks by Targeting Linux ESXi\r\nServers\r\nPublished: 2023-02-20 · Archived: 2026-04-05 15:51:29 UTC\r\nRansomware\r\nRansomware actors have been observed to expand their targets by increasingly developing Linux-based versions.\r\nRoyal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide\r\na technical analysis on this variant in this blog.\r\nBy: Nathaniel Morales, Ivan Nicole Chavez, Byron Gelera Feb 20, 2023 Read time: 6 min (1566 words)\r\nRansomware actors have been observed to expand their targets by increasingly developing Linux-based versionsnews\r\narticle. We predicted in September 2022 that ransomware groups will would increasingly target Linux servers and\r\nembedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these\r\nsystems in the first half of 2022. In May 2021 we reported ransomware variants of DarkSide and in May 2022 we\r\nfound Cheerscrypt, specifically targeting the ESXi servers, which are widely used for server virtualization by\r\nenterprises.\r\nRoyal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide\r\na technical analysis on this variant in this blog. Royal’s Linux counterpart also targets ESXi servers, a target\r\nexpansion which can create a big impact on victimized enterprise data centers and virtualized storage.\r\nRoyal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned\r\ncybercriminals who used to be part of Conti Team One.\r\nDeep roots, strong start\r\nDespite being detected only in September 2022, Royal ransomware was among the three most prolific ransomware\r\ngroups in the fourth quarter last year. According to datanews article from ransomware groups’ leak sites, 10.7% were\r\nattributed to Royal, with only LockBit and BlackCat ahead of it, accounting for 22.3% and 11.7% respectively. Its\r\nthreat actors being an offshoot from Conti may be the reason for its quick claim to fame as soon as it made headlines\r\nin the ransomware landscape.\r\nUpon examining the ransomware’s attacks, we learned that it combines old and new techniques, which supports the\r\ntheory that actors behind it have an extensive knowledge of the ransomware scene. In its early campaigns, Royal\r\ndeployed BlackCat’s encryptor, but later shifted to its own called Zeon, which dropped ransom notes similar to\r\nConti’s.  Royal later rebranded and began using Royal in its ransom notes generated by its own encryptor.\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 1 of 11\n\nFigure 1. Ransom note of Royal ransomware\r\nRoyal ransomware targeted small to medium-sized businesses in the fourth quarter of 2022: 51.9% of its victims were\r\nsmall business, while 26.8% were medium-sized. Only 11.3% of its victims for this period were large enterprises.\r\nAmong its victims, the IT, finance, materials, healthcare, and food and staples industries were its top targets. Threat\r\nactors behind Royal focused on targets in North America during the last quarter of 2022, which accounted for three-quarters of its victims in that time period. Royal also targeted enterprises in Europe, Latin America, Asia Pacific,\r\nAfrica, and the Middle East.\r\nTechnical Analysis\r\nIn our analysis, we found that Royal ransomware accepts the following command-line arguments:\r\n \r\nArgument Description\r\n-id {32-byte\r\ncharacters}\r\nWill be used as the victim’s ID, which will be appended on the TOR link found in the\r\ndropped ransom note. The process exits if not provided, or if the provided characters are not\r\n32 bytes long\r\n-ep Used for full or partial encryption of file routine \r\n-stopvm Used to terminate VM processes via EXSCLi\r\n-vmonly  \r\n-fork For creation of fork process\r\n-logs Display logs of encrypted files\r\nTable 1. Royal ransomware arguments and description\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 2 of 11\n\nFigure 2. Accepted arguments by Royal ransomware\r\nThe “-id” parameter, like Royal ransomware’s Win32 variant, requires 32-byte characters in order to proceed, and\r\nwill be used as the Victim’s ID.\r\nFigure 3. Royal ransomware checks -id parameter length if equal to 32 bytes\r\nThe “-path” argument from earlier Royal ransomware Win32 variants was removed in the Linux variant, but the file\r\npath argument is still required in order to execute the ransomware. It designates the first argument to be used as the\r\nfile path to be encrypted. \r\nFigure 4. Royal ransomware sets the file path as first argument to be accepted and used for search_files\r\nfunction\r\nInside the “stop_vm” function, Royal ransomware implements the following command to terminate VM processes\r\nusing ESXCLI.\r\nesxcli vm process kill –type=hard –world-id={ }\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 3 of 11\n\nFigure 5. Terminating VM processes via ESXCLI\r\nRoyal ransomware then creates a specified number of threads depending on the number of processors of the infected\r\nmachine. It determines the number of processors by using the sysconf(84) function, multiplying it by 8 to determine\r\nthe number of threads to be created.  By doing so, it significantly increases the speed of the “thread_func” function\r\nwhere it contains the encryption routine of the ransomware.\r\nFigure 6. The Royal ransomware function used to determine number of threads to be created\r\nFor the “search_files” function, Royal ransomware uses the “opendir” function to open a specified directory. It then\r\ndrops the ransom note “readme” to the directory and then calls the “readdir” function in a loop to read all entries\r\ninside the directory. It then checks the type of the entry if it’s a directory (d_type == 4) or a file (d_type == 8). If it’s a\r\ndirectory, it recursively calls the “search_files” function on the entry. \r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 4 of 11\n\nFigure 7. The Royal ransomware search_files function\r\nIf the entry is a regular file, it checks the filename and avoids encrypting the following files with the following\r\nnames/extensions:\r\n.royal_u\r\n.royal_w\r\n.sf\r\n.v00\r\n.b00\r\nroyal_log_\r\nreadme\r\nOne of the excluded extensions, “.royal_w”, is the latestopen on a new tab appended extension of the Royal\r\nransomware. We assume that the “royal_w” and “royal_u” are used by threat actors to differentiate encrypted files by\r\ntheir Windows variant (royal_w) and Linux variants (royal_u), where u possibly stands for Unix.\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 5 of 11\n\nAs in Royal ransomware’s Win32 variant, it also uses OpenSSL’s Advanced Encryption Standard (AES) for its\r\nencryption.\r\nFigure 8. The Royal ransomware RSA Public Key is hardcoded in the binary\r\nFigure 9. Royal ransomware function containing the encryption routine\r\nRoyal ransomware threat actors also implement intermittent encryption. Using the -ep parameter, it accepts integers\r\nfrom 0 to 100; if the integer exceeds 100 or is below or equal to 0, it sets the value to 50 and will be used as a\r\nparameter for intermittent encryption. \r\nFigure 10. Royal ransomware function which checks the parameter used for -ep argument\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 6 of 11\n\nRoyal ransomware then generates the AES key and IV using the following function, then encrypts it using RSA\r\nencryption. The encrypted AES and IV key will also be appended to each of the encrypted files.\r\nFigure 11. Generation of AES Key and IV of Royal ransomware\r\nIf the RSA encryption is successful, it then rounds up the file to multiples of 16, which is required in AES\r\nencryption.  \r\nFigure 12. Royal ransomware rounds up the file size to multiples of 16\r\nFor the rounded-up files, Royal ransomware then checks if the size is less than or equal to 5,245,000 bytes or if the\r\nvalue set on -ep is 100. If one of the conditions is met, it will encrypt the whole file. For files greater than 5,245,000\r\nbytes, the encryption will take place per certain calculated blocks where it will encrypt the first N bytes, then skip the\r\nnext N bytes, and repeats the process.\r\nFigure 13. Royal ransomware checks the file size if it meets specific conditions before encrypting\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 7 of 11\n\nFigure 14. The calculation of N bytes used for intermittent encryption used by Royal ransomware\r\nThe calculation of N bytes is as follows: \r\nN = (X/10) * (Original File Size / 100) then rounded down to multiples of 16\r\n*where X is the value set to -ep\r\nIf the calculated N is greater than 1,024,000, it will encrypt 1,024,000 block instead.\r\nFigure 15. Royal ransomware checks the file size if it is less than 1,024,000 bytes\r\nThe intermittent encryption technique on the Linux variant shares great similarity to the encryption done by Royal\r\nransomware’s Win32 variant, which aims to make the encryption faster. \r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 8 of 11\n\nFigure 16. Royal ransomware’s encryption routine\r\nLastly, Royal ransomware appends the “royal_u” file extension for the encrypted files and drops its ransom note into\r\nthe directory.\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 9 of 11\n\nFigure 17. Some of Royal ransomware’s encrypted files, with the accompanying ransom note\r\nConclusion\r\nThis new variant of the Royal ransomware expands their attacks to target ESXi servers, causing great damage to their\r\nvictims. As the threat actors behind Royal are believed to be seasoned cybercriminals from Conti, they are equipped\r\nwith an arsenal of knowledge of the ransomware scene which can prove to be a great risk to enterprises as we expect\r\nto see more activity from the ransomware group in the future. Royal ransomware can be expected to develop new\r\nvariants for wider impact.\r\nTo protect systems from ransomware attacks, we recommend that both individual users and organizations implement\r\nbest practices such as applying data protection, backup, and recovery measures to secure data from possible\r\nencryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely manner can also\r\nminimize the damage dealt by ransomware that abuses exploits.\r\nWe advise users and organizations to update their systems with the latest patches and apply multi-layered defense\r\nmechanisms. End users and enterprises alike can mitigate the risk of infection from new threats like Royal\r\nransomware by following these security best practices: \r\nEnable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a\r\nnetwork.\r\nAdhere to the 3-2-1 rulenews article when backing up important files. This involves creating three backup\r\ncopies on two different file formats, with one of the copies stored in a separate location. \r\nPatch and update systemsnews article regularly. It’s important to keep operating systems and applications up to\r\ndate and maintain patch management protocols that can deter malicious actors from exploiting any software\r\nvulnerabilities.\r\nIndicators of Compromise\r\nSHA256 Detection\r\nb57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c Ransom.Linux.ROYAL.THBOBBC\r\n06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725 Ransom.Linux.ROYAL.THBOBBC\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 10 of 11\n\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nhttps://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"
	],
	"report_names": [
		"royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434540,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7401615324ad095d4e72f7c09893d1784b9a87db.pdf",
		"text": "https://archive.orkl.eu/7401615324ad095d4e72f7c09893d1784b9a87db.txt",
		"img": "https://archive.orkl.eu/7401615324ad095d4e72f7c09893d1784b9a87db.jpg"
	}
}