Security researchers discovered a new ransomware family that targets Linux systems. Called Cheerscrypt, the ransomware targets VMware ESXi servers. It is noteworthy that last year two vulnerabilities in the VMWare ESXi product were included in the attacks of at least one prominent ransomware gang. These servers have been targeted by other ransomware families, including LockBit, Hive, and RansomEXX.
VMware ESXi is an enterprise-class, type-1 hypervisor that specifically servers virtual computers that share the same hard drive storage. Trend Micro says that the new ransomware family has been targeting a customer’s ESXi server used to manage VMware files, as per their report.
Cheerscrypt Ransomware Family: What Is Known So Far?
How does the Cheerscrypt infection routine take place? Once an infection occurs, the ransomware operators initiate the encrypter, set to automatically itemize the running VMs and shut them down via a specific esxcli command.
Upon encryption, the ransomware locates files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions, associated with various ESXi files, snapshots, and virtual disks. Encrypted files receive the .cheers extension, with the curious specification that renaming of the files happens prior to the encryption. This means that, in case of denied access permission to rename a file, the encryption fails. However, the file remains renamed.
As for the encryption itself, it is based on a pair of public and private keys to extract a secret key in the SOSEMANUK stream cipher. This cipher is embedded in each encrypted file, and the private key used for generating the secret is wiped:
Cheerscrypt’s executable file contains the public key of a matching key pair with the private key being held by the malicious actor. The ransomware uses SOSEMANUK stream cipher to encrypt files and ECDH to generate the SOSEMANUK key. For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux’s /dev/urandom. It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor’s private key is known.
It is also noteworthy that Cheerscrypt ransomware operators rely on the double extortion technique to increase the chance of victims paying the ransom.
In conclusion, this ransomware is definitely a threat to enterprise, as ESXi is widepy deployed in enterprise settings for server virtualization. ESXi servers have been previously compromised by other malware and ransomware families, and cybercriminals will be looking into ways to “upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain,” the researchers concluded.
Previously Discovered Linux Ransomware Samples
One of the most common ransomware threats for Linux in 2021 is DarkRadiation, a ransomware coded in Bash that specifically targeted Red Hat/CentOS and Debian Linux distributions. Whoever is behind this new ransomware used “a variety of hacking tools to move laterally on victims’ networks to deploy ransomware,” Trend Micro said. The hacking tools contained various reconnaissance and spreader scripts, specific exploits for Red Hat and CentOS, and binary injectors, among others, most of which barely detected in Virus Total.