Cybercriminals are well-versed with the extensive use of VMware ESXi in enterprise settings for server virtualization. New Cheerscrypt ransomware was found targeting vulnerable or poorly secured VMware ESXi servers.

Cheerscrypt ransomware

Cheesescrypt is Linux-based ransomware that has been discovered by Trend Micro.
  • After compromising the VMware ESXi server, the attackers launch the encryptor that automatically enumerates running VMs and shuts them down using a certain esxcli command.
  • When encrypting files, it looks for files with the .log, .vmdk, .vmem, .vmsn, and .vswp extensions, which are linked with ESXi snapshots, swap files, paging files, virtual disks, and log files.
  • According to the ransom notes, the attackers give their victims three days to access the provided Tor site to negotiate the ransom payment for a working decryption key.

Use of double-extortion tactic

At present, the victim extortion and data leak site for the Cheerscrypt ransomware operation is showing only four victims.
  • The very existence of this portal suggests that Cheerscrypt is carrying out data exfiltration during the attacks and making use of the stolen data.
  • The victims belong to semi-large size organizations, and it seems that the ransomware group prefers to hit companies that are in a position to pay comparatively larger ransom demands.
  • If victims deny paying the ransom, the attackers claim to sell the stolen data to other threat actors. If nobody shows interest in buying the data, it gets posted on the leak portal.

More information

  • Each encrypted file has a ‘.Cheers’ extension, however, files are renamed before encryption. If access permission is denied for renaming a file, the encryption fails yet the file is renamed. 
  • The encryption uses a pair of public and private keys to derive a secret key, which is added to each encrypted file. The private key used for generating the secret key is deleted to stop recovery.​


VMware ESXi is used in enterprise settings for server virtualization and, for that reason, it is commonly targeted in ransomware attacks. Thus, a proactive stance must be taken by organizations with good cybersecurity defenses against ransomware attacks to stay protected in an ever-changing threat landscape.

Cyware Publisher