Researchers at Trend Micro have detected a new Linux-based ransomware targeting VMware ESXi servers. ESXi servers are bare-metal hypervisors that house virtual machines with shared hard drive storage. ESXi servers are no strangers to ransomware attacks, with previous ransomware families like LockBit, Hive, RansomEXX, and now Cheerscrypt finding ESXi to be a desirable target for efficiently infecting many virtual machines at once.
The operators of Cheerscrypt employ a double extortion model pioneered by Maze ransomware in 2020, in which the data is not only encrypted, but exfiltrated as well. The operators then demand a ransom to both decrypt files and refrain from publicly sharing the stolen information.
Cheerscrypt’s infection routine goes as follows:
- Ransomware is executed with a path to encrypt as an argument
- All virtual machine processes are stopped via ESXCLI
- VMware related files are then located
- .log
- .vmdk
- .vmem
- .vswp
- .vmsn
- Target files are renamed with a .Cheer file extension and are then encrypted
- A ransom note is left in each targeted directory
- Statistics of the routine are displayed in a console window
Analyst Notes
Ransomware continues to be a significant threat to organizations of all kinds. Best practices for protecting against ransomware as recommended by the Cybersecurity & Infrastructure Security Agency (CISA) include:
● Frequent backups
○ 3-2-1 backup rule (There should be 3 copies of data; Stored on 2 different media; With 1 copy being off site.
● Keep computers patched and updated
● Use caution with links and when entering website addresses
● Open email attachments with caution
● Verify email senders
● Use and maintain preventative software programs such as antivirus software, firewalls, and email filters
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
https://www.cisa.gov/uscert/ncas/tips/ST19-001
