A new form of Linux-based ransomware has been found targeting VMware Inc. ESXi servers. VMware ESXi is a hypervisor developed by VMware for deploying and serving virtual computers.
Detailed by researchers at Trend Micro Inc., the new form of ransomware has been dubbed “Cheerscrypt.” The ransomware encrypts VMware-related files and shares some similarities with other ransomware families such as LockBit, Hive and RansomEXX, which have previously targeted VMware ESXi servers in the past.
The name Cheerscrypt is derived from what the ransomware does. Having gained access to a VMware ESXi server, Cheersscrypt seeks out files with the extensions .log, .vmdk, .vmem, .vswp, and .vmsn connected to ESXi snapshots, log files, swap files, paging files and virtual disks. It then adds .Cheers to the end of the file names before encrypting them.
Cheerscrypt, as is increasingly common with ransomware over the last 12-18 months, is double-tap ransomware. Not only do those behind the ransomware demand payment for a decryption key, but they also threaten to release stolen data if the ransom is not paid.
In a ransom note shown by the Trend Micro researchers, the Cheerscrypt hackers – while starting the message with “Cheers!” then says the victim should contact them within three days, or they will expose some of the stolen data and increase the amount of ransom demanded. Along with warnings not to try to decrypt the files, the hackers then say that if they are not contacted, the stolen data will be sold to opponents or criminals.
To reduce the risk of an attack, the researchers conclude that “a proactive stance that ensures solid cybersecurity defenses against modern ransomware threats is crucial for organizations to thrive in an ever-changing threat landscape.” Organizations should establish security frameworks and adopt best practices.
“Most of the world’s organizations run using virtual machines and most of those virtual machines are VMware’s,” Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE. “It makes the job of ransomware attackers far easier because they can encrypt one server- the VMware server, and then encrypt every guest VM it contains.”
“One compromise and encryption command can easily encrypt dozens to hundreds of other virtually-run computers all at once,” Grimes explained. “Most ‘VM shops’ use some sort of VM backup product to back up all guest servers so finding and deleting or corrupting one backup repository kills the backup image for all the hosted guest servers all at once.”
John Gunn, chief executive officer of authentication company Tokenize Inc. noted that “as more organizations improve their security by adopting multifactor authentication with biometrics, they are effectively locking the front door that has been the vulnerability of choice for hackers.
“That doesn’t mean bad actors will go away, they will instead shift their methods to attacks such as this,” Gunn added.