VMware ESXi Servers targeted by the Cheerscrypt ransomware

June 1, 2022
VMware ESXi Servers Cheerscrypt Ransomware Malware Virtualisation Digital Risk

The new Cheerscrypt ransomware campaign has been discovered by researchers targeting poorly secured or flawed VMware ESXi Servers. Threat groups are increasingly attracted to targeting VMware ESXi in enterprise settings for server virtualisation.

Based on reports, the malicious threat group deployed an encryptor that automatically identifies operating VMs after infecting the VMware ESXi server. Moreover, the encryptor can shut down the VMs by utilising a particular esxcli command.

For the file encryption process, the group searches for files with extension codes such as [.]log, [.]vmsn, [.]vmem, [.]vmdk, and [.]vswp. These extensions are then connected to the ESXi snapshots, paging files, virtual disks, log files, and swap files.

According to the ransom notes deployed by the adversary, they only allow their victims three days to access their provided Tor site to transact with them for the ransom payment to get a decryption key.

 

Cheerscrypt employs a double-extorsion strategy in their campaigns.

 

The victim extortion and data leak site for the Cheerscrypt ransomware operation portrays only four targets. The portal usage implies that the group is operating a data exfiltration during their attacks and using the stolen data on other illegal activities.

The threat actors have targeted moderately large or large-sized organisations. They preferred these companies since they could potentially meet their ransom demands. However, if a victim does not pay the ransom, the Cheerscrypt operators claim that they will sell the stolen data to another threat group.

Every encrypted data has a [.]Cheers’ extension, but the group renames the files before encryption. If access permission is denied for renaming a file, the encryption process will fail until the file is renamed.

The encryption utilises a couple of private and public keys to derive a secret key, including each encrypted file. They remove the private key used by the actors to develop the secret key to stop the company from retrieving the stolen files.

The usage of VMware ESXi in enterprise settings for server virtualisation became the reason for ransomware actors to attack these servers heavily. Therefore, organisations should take a proactive approach, such as employing a competent cybersecurity defence to mitigate the impacts caused by ransomware attacks.

About the author