Cheerscrypt is a ransomware that has been found to target VMware ESXi servers and use the typical double ransom method that has become almost customary for ransomware in the past few years.
Cheerscrypt operators first need to elevate privileges on the ESXi server so that they can execute remote commands. It is unclear how privileged shell access is gained, but once the threat actors have gained privileges, they send a command to shut down all VMs on the server. Once the VM process is shut down, the ransomware begins encrypting files.
When Cheers attacks a VMware ESXi server, it starts the encryptor, which automatically enumerates the running virtual machines and shuts them down using the following esxcli command.
esxcli vm process kill -type=force -world-id=$(esxcli vm process list|grep 'World ID'|awk '{print $3}')
A range of extensions and file types associated with VMware are encrypted, including .vmdk, vmem, .vmsn, and .vswp. Encrypting a file appends the .Cheers extension to the original file. Cheerscrypt obtains a copy of the ransom note called "How to Restore Your Files.txt" for each directory in which the file is scrambled by Cheerscrypt.
The note gives victims 3 days to pay a ransom and threatens that stolen data will be leaked online and that ransom demand will increase if payment is not made on time.
Cheers appears to have started operating in March 2022, and while only Linux ransomware versions have been found so far, variants targeting Windows systems cannot be ruled out as well.
According to the survey ransom logs, the attackers give victims three days to log into the provided Tor site to negotiate a ransom payment in exchange for a valid decryption key. If the victim did not pay the ransom, the attackers said they would sell the stolen data to other peers, posing an even greater threat and loss to the victim.
VMware ESXi servers have been cited as particularly lucrative targets because they are used by many large companies and because threat actors can affect significant parts of a victim's infrastructure by compromising and encrypting individual physical systems, which means less work for ransomware operators and maximum potential profit. Against this backdrop, enterprises should choose a stronger VMware ESXi backup, recovery and data protection solution.
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order: Trending