Cheers ransomware hits VMware ESXi systems

Another ransomware strain is targeting VMware ESXi servers

Ransomware hits VMware ESXi systems

Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

ESXi, a bare metal hypervisor that installs easily on to your server and partitions it into multiple virtual machines.  It is used by a broad range of organizations throughout the world and has become the target of ransomware.

The common use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtual systems and connected devices.

Compromising ESXi servers is a means to swiftly spread the ransomware to many devices.

Cheers ransomware

The latest ransomware is one  researchers are calling Cheerscrypt – or simply Cheers – and like an increasing number of outbreaks, comes with a double-extortion threat aimed at incentivizing victims to pay the demanded ransom.

In the ransom note that pops up on a victim's screens, the cybercriminals give the organization three days to contact them. Otherwise, the group will publicly release data exfiltrated from the compromised box, and increase the amount of the ransom.

To pull this off, it appears miscreants have to achieve privileged shell access to the targeted ESXi hypervisor server, or otherwise gain the ability to run commands on the host. Once uploaded to and running on the ESXi server in a Linux environment, the Cheers ransomware runs a command to terminate all the running virtual machine (VM) processes using an esxcli command, and runs the code to encrypt data on the box.

The ransomware seeks out log files and VMware-related files that have the extensions .log, .vmdk, .vmem, .vswp, and .vmsn. For every directory it encrypts, the malware will leave a ransomware noted named "How to Restore Your Files.txt." Files that have been successfully encrypted are given the .Cheers extension.

Once the encryption is completed, the ransomware displays statistics of what it's done, from the number of encrypted files and that of files it didn't encrypt to the amount of the encrypted data.

The Cheerscrypt executable file includes the public half of a public-private key pair; the malware's masterminds keep hold of the private half to themselves. The program uses the SOSEMANUK stream cipher to encrypt the compromised machine's data.

Organizations need to be proactive when protecting systems against ransomware and other attacks.

Just as attackers do a risk/reward calculation to determine the attack surface of choice, so should defenders do a cost/benefit analysis on mitigation.

For more on Ransomware, and how you can protect yourself, email