Linux-based Ransomware Cheerscrypt Attacks VMware ESXi Servers

There has been an appearance in the cybercrime universe of a new ransomware attack dubbed ‘Cheers.’ It targets the VMware ESXi servers that have been found to be vulnerable.

There are many large organizations and large companies in the world that use virtualization platforms such as VMware ESXi, making their encryption a serious disruption to the business operations of the companies using them.

The VMware ESXi platform has been targeted by many ransomware groups in the past, with the most recent ones being:-

  • LockBit
  • Hive

Among the new additions to the group is ‘Cheerscrypt’ ransomware (aka Cheers). Security analysts at Trend Micro discovered the brand-new ransomware.

Cheers: Infection & Encryption

It is possible for the threat actors to launch the encryptor automatically when a VMware ESXi server is compromised. 

After this is done, the encrypted virtual machines are then enumerated using the encryption algorithm. A command similar to esxcli is then used to terminate the virtual machines.

The encryption process specifically aims at looking for files that have the following extensions that are listed below:-

  1. .log
  2. .vmdk
  3. .vmem
  4. .vswp
  5. .vmsn

In addition to snapshots and log files, ESXi includes virtual disks, paging files, and swap files. In order to identify each encrypted file as a Cheers file, the extension “.Cheers” will be added to the file name.

It may not matter whether the file has been encrypted or not once it has been renamed. However, the file will still be renamed if access permissions have been denied.

In order to encrypt files, the ransomware employs the SOSEMANUK stream cipher. To generate the SOSEMANUK key, it uses the ECDH encryption algorithm. During the process of encrypting each file, the software generates from Linux’s /dev/urandom a pair of ECDH public-private keys. 

A secret key will be generated that will be used as a SOSEMANUK key as a result of mixing the public key embedded in the malware and the generated private key from the embedded key.

Ransom note

In each folder that is scanned for files to encrypt, the ransomware creates a ransom note to demand payment. The ransom note is titled, ‘How To Restore Your Files.txt’ which describes how all the hijacked files could be restored.

In these ransom notes, the victim is told what happened to their files. Additionally, there is information on where to find Tor data leak sites and ransom negotiation websites linked to the ransomware operations.

There is a corresponding URL to the Onion data leak site, and each victim has their own Tor site or negotiation page.

Recommendations 

Here the cybersecurity experts at Trendmicro have recommended a few mitigations and here they are mentioned below:-

  • Deploy solid cybersecurity defenses.
  • Always use robust security AV tools.
  • Make sure to establish security frameworks.
  • Develop your own cybersecurity strategies.
  • Adopt best security practices.
  • Always use two-factor authentication.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.