Cheerscrypt Ransomware Targets VMware ESXi Servers

Cheerscrypt ransomware

• After compromising the VMware ESXi server, the attackers launch the encryptor that automatically enumerates running VMs and shuts them down using a certain esxcli command.
• When encrypting files, it looks for files with the .log, .vmdk, .vmem, .vmsn, and .vswp extensions, which are linked with ESXi snapshots, swap files, paging files, virtual disks, and log files.
• According to the ransom notes, the attackers give their victims three days to access the provided Tor site to negotiate the ransom payment for a working decryption key.

Use of double-extortion tactic

• The very existence of this portal suggests that Cheerscrypt is carrying out data exfiltration during the attacks and making use of the stolen data.
• The victims belong to semi-large size organizations, and it seems that the ransomware group prefers to hit companies that are in a position to pay comparatively larger ransom demands.
• If victims deny paying the ransom, the attackers claim to sell the stolen data to other threat actors. If nobody shows interest in buying the data, it gets posted on the leak portal.

More information

• Each encrypted file has a ‘.Cheers’ extension, however, files are renamed before encryption. If access permission is denied for renaming a file, the encryption fails yet the file is renamed. 
• The encryption uses a pair of public and private keys to derive a secret key, which is added to each encrypted file. The private key used for generating the secret key is deleted to stop recovery.​

Conclusion