New Cheerscrypt Ransomware Targets ESXi Virtual Machines

With more companies shifting their operation of business to digital platforms, data is currently one of the more valuable commodities. It should be no surprise that it is a common target of cyber-attacks. Just as data security specialists are developing new ways of defending your data from undesired access, so are the criminals constantly working on more intricate attack methods.

One of the new developments in the ransomware field is Cheerscrypt, a new ransomware strain capable of infecting VMware ESXi systems.

What is ransomware

Ransomware is one of the most common forms of outsider attacks on a database. Attackers most commonly send out emails with infected attachments or phishing links. When a victim opens the infected attachment, their files become encrypted, and they are presented with a ransom note containing information on how to potentially decrypt their data. Most ransom notes have information explaining what’s happening to the person’s data and how they can retrieve it. This is most commonly done after paying the ransom via cryptocurrency.

Ransomware is a very efficient method of attack, mainly because most ransomware attacks also include a short period for the victims to pay the ransom. When the time runs out, their files are either deleted, or a further part of the data is encrypted.

Although most ransomware can be avoided by taking proper security measures, it is virtually impossible to decrypt the attack data without the appropriate key. This makes it an easy way for attackers to make money off their victims while at the same time potentially disabling any of the services dependable on the data attacked, further causing financial damages.

Learn more about how to reduce the damage caused by a ransomware attack.

Cheerscrypt and VMware ESXi

VMware ESXi is a popular hypervisor software for setting up and managing virtual machines. Easy scalability and user-friendly tools make VMware ESXi a popular choice amongst companies and organizations looking to introduce virtual machines into their IT structures. However, because it can easily host dozens of virtual machines and play an essential role in the company’s IT environment, VMware ESXi has been a target of attacks. Cheerscrypt, or simply cheers, is a new method of ransomware designed to target Linux-based VMware virtual machines.

Like other kinds of ransomware, Cheerscrypt attempts to encrypt the victim’s data, preventing them from accessing and modifying the data in any manner. To achieve this, the attackers use a security exploit in VMware ESXi, allowing them to access and encrypt the data stored within virtual machines. To achieve this, the attackers must receive privileged shell access or gain abilities to run commands as the host. Once the cheerscrypt ransomware is uploaded to an exposed Linux server, it runs an order to terminate any of the virtual machines within VMware ESXi and proceeds to encrypt the data. Cheerscrypt targets log files and VMware-related files with extensions .log, .vmdk, .vmem, .vswp, and .vmsn.

One of the new methods used in the Cheerscrypt attack is renaming the encrypted files. Each targeted file gets renamed with a .cheers extension. However, if the ransomware fails to obtain appropriate access permission for the files, it can only rename them.

To prevent the users from accessing their Linux virtual machines, Cheerscrypt uses a very elaborate encryption key. The SOSEMANUK stream cipher is used in Cheerscrypt to encrypt the compromised data with a public-private key pair. One part of the public key is attached to each encrypted file and stored within the attacked virtual machine. The private key is generated upon the infection; however, it is immediately deleted and sent to the attacker. This method makes it impossible to decrypt the virtual machine without access to the attacker’s code.

How to protect your data from cheerscrypt?

Criminal groups constantly develop new attack methods with more elaborate ways to encrypt your data. However, there are two easy and efficient methods to protect your data stored in virtual machines and help you prepare for a potential attack: Cheerscrypt is one of the newest ransomware methods, making it a sign of what is to come in terms of data security in the near future.

• Educate your employees — most ransomware infections happen due to human error. This puts your data at risk, as an employee who, for example, accidentally synced an infected file can put all of the information stored by your organization in jeopardy. The most common method of spreading ransomware is via an email containing an infected file attachment or a phishing link. Such messages often camouflage themselves as corporate email or potential business partners. With constant technological development, we can expect more intricate phishing tactics to be deployed in the future. To protect your organization against this danger, you must educate yourself and your employees on the newest developments in cyber security.

Regular VMware backups — one of the deadliest elements of a ransomware attack is that it is virtually impossible to decrypt the data without having the proper key on hand. This means that once your data is encrypted, there is not that much you can do to retrieve the compromised files. In addition, trying to relocate the data or manipulate it in any way can trigger a failsafe within the ransomware, either deleting the data or otherwise making it unusable. To mitigate the danger of ransomware attacks, consider regularly backing up any data stored within Linux virtual machines.

In conclusion

Virtual machines make for a desirable ransomware target. Since the VMware ESXi can host several virtual machines, the attackers only need to infect one machine to hold many servers to ransom. Cheerscrypt is a sign for IT security specialists to look further into potential security developments for Linux virtual machines and countermeasures against ransomware attacks.

If you’d like to learn more about Storware Backup and Recovery solution, feel free to contact us or test Storware Backup and Recovery for free -> https://storware.eu/licenses/

Paweł Mączka Photo

text written by:

Pawel Maczka, CTO at Storware