Royal Ransomware Spreads to Linux and VMware ESXi
The first spread was around September 2022. People behind it are probably a subgroup of the infamous Conti threat actor ,it released the Zion ransomware before renaming it as Royal ransomware.
Delivery techniques By insurance company “At-Bay” the malware was reported in November 2022 as the first ransomware to successfully exploit a Citrix vulnerability, “CVE-2022-27510” , and gain access to devices with Citrix ADC or Citrix Gateway to operate ransomware attacks. The threat actor used the Citrix vulnerability before any public exploit.
Royal ransomware also might be spread by malware downloaders, such as QBot or BATLOADER. The threat actor first initiates a conversation on the target’s contact form, and once a reply is provided by email. An email containing a link to BATLOADER goes to the target in for operate Royal ransomware in the end.
Via Google Ads or via the installation of fake software, Royal ransomware also spread by pretending to be legitimate such as Microsoft Teams or Zoom, hosted on fake websites looking legitimate.
Also, Microsoft reported about a fake TeamViewer website that delivered a BATLOADER executable that deployed Royal ransomware .
How to protect from this Royal ransomware threat Since variety of techniques, the threat actor uses a to breach companies and deploy the Royal ransomware, several vectors of infection need to be secured. Further, the threat actor has already proved it was able to trigger non-public exploits on software. So all operating systems and software need to be always up to date and patched.
Emails are the most commonly used way for breaching companies, and this is true for the Royal ransomware gang.
Therefore, security solutions need to be deployed on the web servers, and admins should check all attached files and links contained inside emails for any malicious content. The check should not only be an automated static analysis, but also a dynamic one via sandboxes.
Be Careful when browsing content, and analyze navigating to unknown or untrusted websites. The Royal ransomware sometimes pretend to use fake websites to spread their malware.
Data backup processes should also be taken seriously. You never know.