Ransom.Linux.ROYAL.THBOBBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• If the argument -stopvm is used:
  • /bin/sh -c esxcli vm process list > list
  • /bin/sh -c esxcli vm process kill --type=hard --world-id={World ID of the VM to terminate}

Other Details

This Ransomware accepts the following parameters:

• required to proceed to its encryption routine:
  • {path} → directory to encrypt
  • -id {32 byte characters} → Victim ID
• -ep {integer from 0 to 100} → used to define encryption parameter
• -stopvm → used to terminate VM processes via ESXCLi command
• -vmonly → used to only encrypt virtual machines
• -fork → used to create a duplicate child process of itself
• -logs → used to display activity logs

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• .royal_u
• .royal_w
• .sf
• .v00
• .b00
• royal_log_
• readme

It appends the following extension to the file name of the encrypted files:

• .royal_u

It drops the following file(s) as ransom note:

• {Encrypted directory}\readme