The Royal Ransomware Linux Variant Targets VMware ESXi OpenSLP Vulnerability

VTA-00432 – The Royal Ransomware Linux Variant Targets VMware ESXi OpenSLP Vulnerability

In targeted callback phishing attempts, the Royal Group poses as software and food delivery companies in emails that appear to be subscription renewals. These phishing emails contain phone numbers that the victim can contact to cancel the alleged subscription, but, in reality, it is a number to a service hired by the threat actors. When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, which is used to gain initial access to the corporate network. A Royal victim shared that the threat actors breached their network using a vulnerability in their custom web application, showing the threat actors are also being creative in how they gain access to a network.

Once they gain access to a network, they perform the same activities commonly used by other human-operated ransomware operations. They deploy Cobalt Strike for persistence, harvest credentials, spread laterally through the Windows domain, steal data, and ultimately encrypt devices. When encrypting files, the Royal encryptor will append the “.royal” extension to the file names of encrypted files. According to the cybersecurity researcher, there are about 30,000 servers that spread across 160 countries are impacted with the Royal ransomware campaign.

The new Linux Royal Ransomware also comes with support for multiple flags that will give the ransomware operators some control over the encryption process such as stopping all running VMs so they can be encrypted or even encrypting only the virtual machines.


Attack Surfaces:
Endpoint, Endpoint OS

Collection, Command and Control, Discovery, Execution

T1059 – Command and Scripting Interpreter
T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
T1562 – Impair Defenses
T1566 – Phishing
T1016 – System Network Configuration Discovery

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. To disable the OpenSLP service
2. To install the latest updates for ESXi server
3. Verify the sender by checking the email address.
4. Check the link before you click.
5. Avoid sharing sensitive personal information via unsecure channel.
6. Report all scams/spam email.

Contributed by:  Wan

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>