Researchers have observed new Linux-based ransomware that joins other ransomware families, like LockBit and Hive, in targeting VMware ESXi servers. The Cheerscrypt ransomware employs a double extortion scheme to coerce its victim to pay the ransom, threatening to leak the encrypted files, notify customers of the data breach, and […]
“Compromising EXSi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices,” said Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, and Warren Sto.Tomas, researchers with Trend Micro. “Organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.”
The ransomware then seeks out log files and VMware-related files with the extensions .log, .vmdk, .vmem, .vswp and .vmsn. Files are encrypted and renamed to the .Cheers extension. In order to encrypt each file, the ransomware generates a public-private key pair and uses the embedded public key and private key to generate a secret key. Then, after encryption, it appends the public key to the encrypted files.