Cheerscrypt Ransomware

A new Linux-based ransomware family targeting VMware ESXi servers has been uncovered by cybersecurity researchers. Details about this particular malware were revealed in a report by Trend Micro, tracking the threat as Cheersrypt, or the Cheers Ransomware. It should be noted that this is not the first ill-minded attempt to exploit ESXi servers. Previously, ransomware families such as LockBit, Hive, and RansomEXX have all targeted ESXi systems, with the intent of extorting money from the affected organizations.

Enterprises widely use ESXi for creating and running virtual machines (VM), while sharing the same drive storage. The wide adoption by organizations of all sizes and geographic locations has made the ESXi servers a lucrative target for cybercriminal organizations.

Technical Details

Before it can be fully deployed on the infected device, Cheerscrypt requires a specific input parameter that specifies the exact path for the encryption. Afterward, the threat will implement and execute a command to terminate currently running VM processes via ESXCLI. It does so to ensure the successful encryption of VMware-related files that might otherwise be inaccessible. After all, the threat specifically targets files with the '.log,' '.vmdk,' '.vmem,' '.vswp' and '.vmsn' extensions.

For its encryption routine, Cheerscrypt utilizes a combination of the SOSEMANUK stream cipher and ECDH. Files are encrypted with SOSEMANUK, while ECDH is responsible for generating the key. Each locked file will have '.Cheers' appended to its name as a new extension. A peculiar characteristic of the threat is that it modifies the names of the files before starting their encryption.

The ransom note of Cheerscrypt reveals that its cybercriminal operators are running a double-extortion scheme. Apart from locking the files of their victims, the hackers also claim to have collected valuable confidential information from the breached systems. If their demands are not met within 3 days, the threat actors warn that they will begin publishing the acquired information to the public.