Researchers at Trend Micro have detected a new Linux-based ransomware targeting VMware ESXi servers. ESXi servers are bare-metal hypervisors that house virtual machines with shared hard drive storage. ESXi servers are no strangers to ransomware attacks, with previous ransomware families like LockBit, Hive, RansomEXX, and now Cheerscrypt finding ESXi to be a desirable target for efficiently infecting many virtual machines at once.
The operators of Cheerscrypt employ a double extortion model pioneered by Maze ransomware in 2020, in which the data is not only encrypted, but exfiltrated as well. The operators then demand a ransom to both decrypt files and refrain from publicly sharing the stolen information.
Cheerscrypt’s infection routine goes as follows:
- Ransomware is executed with a path to encrypt as an argument
- All virtual machine processes are stopped via ESXCLI
- VMware related files are then located
- .log
- .vmdk
- .vmem
- .vswp
- .vmsn
- Target files are renamed with a .Cheer file extension and are then encrypted
- A ransom note is left in each targeted directory
- Statistics of the routine are displayed in a console window
