Linux-Based Ransomware Cheerscrypt Targets VMware ESXi Devices


Security researchers at Trendmicro have discovered multiple Linux-based ransomware detections that malicious actors launched to target VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage.

In the past, ESXi servers were also attacked by other known ransomware families such as LockBit, Hive, and RansomEXX as an efficient way to infect many computers with ransomware.

Also Read: Detect Most Common Malicious Actions in the Linux Environment

Attack Details

The ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection routine.

Source: Trendmicro

Upon execution, it implements the following command to terminate VM processes using ESXCLI:

“esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print $3}’)”

The termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files.Similar to other infamous ransomware families, Cheerscrypt employs the double extortion scheme to coerce its victim to pay the ransom, as shown on their ransom note.

Source: Bleepingcomputer

Successfully encrypted files are renamed with the .Cheers extension. However, the ransomware first renames the files it will encrypt before encrypting the files.Thus, if the access permission for the file was not granted, it cannot proceed with the actual encryption.

Also Read: Linux Audit Logs cheatsheet – Detect & Respond Faster

For each directory it encrypts, it will drop the ransom note named, “How to Restore Your Files.txt”. It seeks out log files and VMware-related files with the following extensions:

      .log ·       .vmdk ·       .vmem ·       .vswp ·       .vmsn

After successful encryption, it displays the following console that contains the data statistics of its routine:

Source: Trendmicro

Encryption Algorithm

Cheerscrypt’s executable file contains the public key of a matching key pair with the private key being held by the malicious actor. The ransomware uses SOSEMANUK stream cipher to encrypt files and ECDH to generate the SOSEMANUK key.For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux’s /dev/urandom.

It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key.

After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor’s private key is known.

Source: Trendmicro

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Organizations can benefit from following the security frameworks established by the Center of Internet Security and the National Institute of Standards and Technology when developing their own cybersecurity strategies. The frameworks they created help security teams mitigate risks and minimize exposure to threats. Adopting the best practices discussed in their respective frameworks can save organizations time and effort when they customize their own.


Previous articleSplunk Commands – BIN and its Arguments
Next articleASEC Weekly Malware Statistics
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here