Linux-based ransomware – Targets VMware servers

Guerra digitale: Anonymous sfida gli hacker filorussi di KillNet

The new Linux-based ransomware targets VMware servers. Cheerscript implants double extortion malware on ESXi servers

Yes, the new one ransomware basato su Linux targeted servers VMware. Trend Micro researchers have discovered these “malware” which are used to attack VMware ESXi servers. These are a hypervisor bare-metal for creating and running several virtual machines (VM) that share the same hard disk storage space.

Cheerscrypt, the Linux-based ransomware

Is called Cheerscryptmalware that is following in the footsteps of other ransomware programs (click here for more information), such as LockBit, Hive e RansomEXXwho found ESXi an efficient way to infect many computers with malicious payloads at the same time.


Roger Grimesan advocate of defense and security awareness KnowBe4explains that most of the world’s organizations operate using virtual machines VMware.

It makes the work of ransomware attackers much easier because they can encrypt a server, the VMware server, and then encrypt every guest virtual machine it contains. A compromise and encryption command can easily encrypt tens to hundreds of other computers running virtually concurrently.

Grimes continues by adding that

Most virtual machine shops use one product to back up all guest servers. Then find and delete or damage a repository in backup“Kills” the backup for all guest servers that are connected at the same time.

Linux-based ransomware - Targets VMware servers

How does it work?

Researchers from Trend Micro, Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, explain in a corporate blog how it works Cheerscrypt. The malware, after acquiring an input parameter that specifies an encryption path, issues a command that terminates all processes in the VM to make sure it can encrypt all of its files.

The gang behind Cheerscrypt uses a technique of “double extortion”To extract money from its goals.

Security alarm !!!

declares the ransom message of the attackers, which continues with

We have successfully hacked your company. All files were stolen and encrypted by us. If you want to restore your files or avoid file loss, please contact us.


The researchers note that Cheerscrypt uses the technology of public / private encryption to encrypt files on a target’s server. The ransomware’s executable file contains a public key, while the attacker holds the private key needed to decrypt the files. These are then encrypted using the stream code SOSEMANUKwhile ECDH it is used to create the SOSEMANUK key.

ESXi is a popular target for ransomware attacks. This is because, it is a means of quickly spreading ransomware to many devices at the same time.

As more and more organizations improve their security by adopting multi-factor authentication with biometricsthey are effectively blocking the front door for hackers,

he claims John Gunn, CEO of Tokenwhich however continues stating:

This doesn’t mean bad guys give up. Instead they will change their methods into attacks like this one.

And what do you think of this new Linux-based ransomware? Give us yours by leaving a comment below and continue to follow to stay informed about the world of technology (and not only!).