The most current ransomware operation, Royal Ransomware, focuses on VMware ESXi virtual machines and has added functionality for encrypting Linux devices to its most recent malware strains. According to BleepingComputer, other other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive, have published identical Linux ransomware encryptors. Will Thomas of the Equinix Threat Analysis Center (ETAC) identified the new command-line-based Linux Royal Ransomware strain. All encrypted files on the VM will have the.royal u extension added when the ransomware encrypts them. Royal Ransomware samples that have the additional targeting capabilities were previously difficult for anti-malware programs to identify, but 23 out of 62 malware scanning engines on VirusTotal are now able to do so.