Cheerscrypt Ransomware Attacks VMware ESXi Servers
Cheerscrypt is a strain of ransomware that was spotted targeting VMware ESXi servers and using the typical double extortion approach that has become almost customary in ransomware over the past years.
Cheerscrypt operators first need elevated privileges on the ESXi server so that they can execute remote commands. It is not too clear how privileged shell access is gained, but once the threat actors have that, they send a command that shuts down all virtual machines on the server. Once the VM processes are shut down, the ransomware begins encrypting files.
A range of extensions and file types related to VMware are encrypted, including .vmdk, vmem, .vmsn and .vswp. Encrypted files get the .Cheers extension appended beyond their original one. Every directory Cheerscrypt scrambles files in gets a copy of the ransom note called "How to Restore Your Files.txt".
The note gives victims 3 days to pay the ransom and threatens stolen data will be leaked online and the ransom demand will grow if payment is not made on time.
VMware ESXi servers have been singled out as particularly lucrative targets because they are used by a number of large corporations and the threat actors can affect significant portions of the victim's infrastructure by compromising and encrypting a single physical system, meaning less work for the ransomware operators and maximum potential profit.