Researchers have observed new Linux-based ransomware that joins other ransomware families, like LockBit and Hive, in targeting VMware ESXi servers.
The Cheerscrypt ransomware employs a double extortion scheme to coerce its victim to pay the ransom, threatening to leak the encrypted files, notify customers of the data breach and sell data to victims’ “opponents” or other cybercriminals if the ransom is not paid, said researchers with Trend Micro in an analysis last week. The attackers’ specific targeting of ESXi, a bare-metal hypervisor for creating and running virtual machines that share the same hard drive storage, is notable here. As more organizations transition to ESXi, it is becoming a more popular target for ransomware families including LockBit, Hive and RansomEXX.
“Compromising EXSi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices,” said Arianne Dela Cruz, Byron Gelera, McJustine De Guzman and Warren Sto.Tomas, researchers with Trend Micro. “Organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.”
Upon execution, the ransomware terminates VM processes using ESXCLI, a remote management tool used to manage and troubleshoot various parts of ESXi. By terminating VM processes, the ransomware ensures that it can successfully encrypt VMware-related files.
The ransomware then seeks out log files and VMware-related files with the extensions .log, .vmdk, .vmem, .vswp and .vmsn. Files are encrypted and renamed to the .Cheers extension. In order to encrypt each file, the ransomware generates a public-private key pair, and uses the embedded public key and private key to generate a secret key. Then, after encryption it appends the public key to the encrypted files.
“The ransomware uses SOSEMANUK stream cipher to encrypt files and ECDH to generate the SOSEMANUK key,” said researchers. “Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor’s private key is known.”
While Cheerscrypt is pretty straightforward, with minimal obfuscation, researchers noted that it does require a directory argument to be encrypted, potentially suggesting that it is possibly human-operated, or at least has a component to include the argument for execution.
“To some extent, the operators possibly have knowledge about the victim machine to know what directory to encrypt,” said researchers. “Having the [data statistics of its routine] printed out on the console might also indicate that the ransomware is human-operated.”
Researchers said that though Linux-based ransomware families like Cheerscrypt have been increasing recently, Windows-based variants are still preferred by many ransomware gangs, with Windows being the predominant platform for many organizations today.
“Thus, the detections are expectedly low,” they said.