CyberSecurityBoard
Sponsor Register Login

A type of malicious software called Royal Ransomware designed for Linux systems is attacking VMware ESXi servers

The latest ransomware operation to target Linux devices is Royal Ransomware. It is specifically designed to encrypt VMware ESXi virtual machines. Other ransomware gangs, such as Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive, have also released Linux encryptors. The new Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center and is executed using the command line. It adds the .Royal u extension to all encrypted files on the VM. Anti-malware solutions have had difficulty detecting Royal Ransomware samples, but they are now detected by 23 out of 62 malware scanning engines on VirusTotal. Royal Ransomware is a private operation made up of experienced threat actors who previously worked with the Conti ransomware operation. They began malicious activities in September after first being spotted in January 2022. Initially, they used encryptors from other operations, such as BlackCat, but then transitioned to using their own, starting with Zeon. The group rebranded as Royal and began deploying a new encryptor in attacks that produces ransom notes with the same name. The gang demands ransom payments ranging from $250,000 to tens of millions after encrypting their targets enterprise network systems. In December, the U.S. Department of Health and Human Services warned of Royal ransomware attacks targeting organizations in the Healthcare and Public Healthcare sector. The ransomware group's shift towards targeting ESXi virtual machines is due to the fact that enterprises have transitioned to VMs as they come with improved device management and much more efficient resource handling. After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers. ESXiArgs, a new ransomware strain, was used to scan for and encrypt unpatched servers in a massive campaign targeting ESXi devices worldwide this Friday. Over 100 servers worldwide were compromised in these attacks within just a few hours, according to a Shodan search.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 06 Feb 2023 02:45:03 +0000


Cyber News related to A type of malicious software called Royal Ransomware designed for Linux systems is attacking VMware ESXi servers

Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
1 year ago Hackread.com
A type of malicious software called Royal Ransomware designed for Linux systems is attacking VMware ESXi servers - The latest ransomware operation to target Linux devices is Royal Ransomware. It is specifically designed to encrypt VMware ESXi virtual machines. Other ransomware gangs, such as Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, ...
1 year ago Bleepingcomputer.com
FBI: Royal ransomware asked 350 victims to pay $275 million - The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. In an update to the original advisory published in March with additional information ...
11 months ago Bleepingcomputer.com
Royal ransomware may soon rebrand, BlackSuit links confirmed The Register - The FBI and the US govt's Cybersecurity and Infrastructure Security Agency have released fresh guidance on the Royal ransomware operation, saying that evidence suggests it may soon undergo a long-speculated rebrand. The agencies didn't specify a ...
11 months ago Theregister.com
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
11 months ago Bleepingcomputer.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
10 months ago Securityboulevard.com
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
4 months ago
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
11 months ago Cysecurity.news
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
1 year ago Thehackernews.com
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
9 months ago Bleepingcomputer.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
8 months ago Cisa.gov
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
CDK Global says all dealers will be back online by Thursday - CDK Global says that its dealer management system, impacted by a massive IT outage following a June 18th ransomware attack, will be back online by Thursday for all car dealerships. The company is also working on restoring access to other affected ...
4 months ago Bleepingcomputer.com
A largescale ransomware attack is targeting VMware ESXi servers around the world - Administrators, hosting providers, and the French Computer Emergency Response Team have warned that attackers are actively targeting VMware ESXi servers that have not been patched against a two-year-old remote code execution vulnerability to deploy ...
1 year ago Bleepingcomputer.com
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
8 months ago Cisa.gov
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs - Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang. The 3AM ransomware gang's activity was first ...
10 months ago Bleepingcomputer.com
The Week in Ransomware - Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article. BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have ...
11 months ago Bleepingcomputer.com
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
9 months ago Bleepingcomputer.com
Ransomware Attack Exploiting an Outdated Vulnerability on Numerous VMware ESXi Servers - Recently, a large-scale ransomware attack has been targeting unpatched and unprotected VMware ESXi servers around the world. The attack, known as ESXiArgs, is exploiting a vulnerability called CVE-2021-21974, which was patched by VMware in February ...
1 year ago Securityweek.com
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
11 months ago Bleepingcomputer.com
Ransomware victims targeted by fake hack-back offers - Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data. Both Royal and Akira ransomware ...
10 months ago Bleepingcomputer.com
New Nevada Ransomware Targets Windows and VMware ESXi Systems - A relatively new ransomware operation known as Nevada is quickly growing in capabilities, targeting Windows and VMware ESXi systems. On December 10, 2022, Nevada ransomware was promoted on the RAMP darknet forums, inviting Russian and ...
1 year ago Bleepingcomputer.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
10 months ago Unit42.paloaltonetworks.com
Group behind LockBit ransomware claims responsibility for cyberattack on Royal Mail - The LockBit ransomware group has been linked to a cyberattack on the UK's leading mail delivery service, Royal Mail, which has caused severe disruption to their international shipping services. LockBitSupport, the ransomware gang's public-facing ...
1 year ago Bleepingcomputer.com
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)