Cheerscrypt Ransomware

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro's analysis has identified Linux-based ransomware named Cheerscrypt, targeting VMware ESXi servers. The ransomware terminates VM processes prior to its execution using ESXCLI, and noted by Trend Mirco "The termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files." The attackers utilize a double extortion model stealing and encrypting files encouraging victims to pay the ransom to avoid leaks. Encrypted files are renamed with a .Cheers extension.

Anvilogic Use Case:

• VM Shut Down