Specialists of the Trend Micro information technology company recently discovered a malicious campaign during which attackers infect VMware ESXi servers with a new extortionate software for Linux called Cheerscrypt.
Having compromised the VMware ESXi server, the ransomware launches an encryptor that automatically recalculates the running virtual machines and disconnects them using the esxcli command. Thanks to this, Cheerscrypt can successfully encrypt files associated with VMware by adding an extension to them.Cheers. However, for some strange reason, the malware renames files before encryption, so if there is no permission to rename, the file will not be encrypted.
The ransomware is looking for extensions .log, .vmdk, .vmem, .vswp and .vmsns related to swap files, logs and pages, as well as virtual disks. For each encrypted directory, he adds a ransom note – the file How to Restore Your Files.txt .
The encryption scheme uses a public and private key to extract the secret key (SOSEMANUK stream cipher), which is then embedded in each encrypted file. The private key used to create the secret key is erased.
Like other well–known extortionists, Cheerscrypt adheres to the tactics of double extortion – it demands a ransom for the recovery of encrypted files, threatening otherwise to publish the data stolen from the victim. In the ransom note, the victim is provided with a link to a website on the Tor network where ransom negotiations will take place. A unique website is created for each victim, but the URL of the leak site, where the data of organizations that refused to pay is published, is the same.
The Cheerscrypt distribution campaign supposedly began in March 2022. Although researchers have so far found only a variant of the malware for Linux, most likely, a variant for Windows also exists.