Royal Ransomware Spreads to Linux and VMware ESXi

Royal Ransomware Spreads to Linux and VMware ESXi

The first spread was around September 2022. People behind it are probably a subgroup of the infamous Conti threat actor ,it released the Zion ransomware before renaming it as Royal ransomware.

Delivery techniques By insurance company “At-Bay” the malware was reported in November 2022 as the first ransomware to successfully exploit a Citrix vulnerability, “CVE-2022-27510” , and gain access to devices with Citrix ADC or Citrix Gateway to operate ransomware attacks. The threat actor used the Citrix vulnerability before any public exploit.

Royal ransomware also might be spread by malware downloaders, such as QBot or BATLOADER. The threat actor first initiates a conversation on the target’s contact form, and once a reply is provided by email. An email containing a link to BATLOADER goes to the target in for operate Royal ransomware in the end.

Via Google Ads or via the installation of fake software, Royal ransomware also spread by pretending to be legitimate such as Microsoft Teams or Zoom, hosted on fake websites looking legitimate.

Also, Microsoft reported about a fake TeamViewer website that delivered a BATLOADER executable that deployed Royal ransomware .

teamviewer.png

How to protect from this Royal ransomware threat Since variety of techniques, the threat actor uses a to breach companies and deploy the Royal ransomware, several vectors of infection need to be secured. Further, the threat actor has already proved it was able to trigger non-public exploits on software. So all operating systems and software need to be always up to date and patched.

Emails are the most commonly used way for breaching companies, and this is true for the Royal ransomware gang.

Therefore, security solutions need to be deployed on the web servers, and admins should check all attached files and links contained inside emails for any malicious content. The check should not only be an automated static analysis, but also a dynamic one via sandboxes.

Be Careful when browsing content, and analyze navigating to unknown or untrusted websites. The Royal ransomware sometimes pretend to use fake websites to spread their malware.

Data backup processes should also be taken seriously. You never know.

Prev Next

Related Posts

Grazie CrowdStrike per averci ricordato a che cosa serve il Testing

Grazie CrowdStrike per averci ricordato a che cosa serve il Testing

Il caso di CrowdStrike dimostra quanto sia essenziale investire in attività di QA e testing. Questi processi non solo migliorano l'affidabilità e la sicurezza del software, ma proteggono anche le azie

Polyfill js - Another Supply Chain Attack

Polyfill js - Another Supply Chain Attack

What happens if a popular open-source JavaScript library get hacked?

Agile and Security

Agile and Security

How Agile practices can improve the shift security left approach

MongoDB RomeMUG: Meet Up #9

MongoDB RomeMUG: Meet Up #9

"Deploy an Application on MongoDB Atlas"

Automated TLS Certificate Management

Automated TLS Certificate Management

TLS Certificate

XZ Backdoor (CVE-2024-3094) - A hidden backdoor in open-source software

XZ Backdoor (CVE-2024-3094) - A hidden backdoor in open-source software

How a malicious actor was able to gain credibility and inject malicious payload in a popular unix-like compression library

Windows Server & VPN SSL - MFA with Azure AD

Windows Server & VPN SSL - MFA with Azure AD

MFA implementation with Entra ID

Tor Browser: un piccolo report sulle problematiche relative alla privacy

Tor Browser: un piccolo report sulle problematiche relative alla privacy

Una risposta agli attacchi relativi alla privacy