The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines.
Other ransomware operators already support Linux encrypting, including AvosLocker, BlackBasta, BlackMatter, HelloKitty, Hive, LockBit, Luna, Nevada, RansomEXX, and REvil.
BleepingComputer first reported that Equinix Threat Analysis Center (ETAC) researcher Will Thomas discovered the Linux variant of the Royal Ransomware. The new variant appends the .royal_u extension to the filenames of all encrypted files on the VM.
Querying VirusTotal for the hash that was shared by the expert we can verify that currently the ransomware variant has a detection rate of 32 our of 63.
According to Thomas, the malware is executed using the command line and support multiple parameters to control the encryption operations.
