Cheerscript plants double-extortion malware on ESXi servers. Credit: Towfiqu Aham / Getty Images Researchers at Trend Micro have discovered some new Linux-based ransomware that’s being used to attack VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs—such as LockBit, Hive and RansomEXX—that have found ESXi an efficient way to infect many computers at once with malicious payloads.Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world’s organizations operate using VMware virtual machines. “It makes the job of ransomware attackers far easier because they can encrypt one server—the VMware server—and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once.”“Most VM shops use some sort of VM backup product to back up all guest servers, so finding and deleting or corrupting one backup repository kills the backup image for all the hosted guest servers all at once,” Grimes adds. Cheerscrypt gang uses “double extortion” The Trend Micro researchers— Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, and Warren Sto. Tomas—explain in a company blog that after acquiring an input parameter specifying an encryption path, Cheerscrypt issues a command terminating all VM processes to make sure it can encrypt all VM-related files. The gang behind Cheerscrypt uses a “double extortion” technique to extract money from its targets, the researchers explain. “Security Alert!!!” the attackers’ ransom message declares. “We hacked your company successfully. All files have been stolen and encrypted by us. If you want to restore your files or avoid file leaks, please contact us.”The researchers note that Cheerscrypt uses public/private encryption technology to scramble the files on a target’s server. The ransomware’s executable file contains a public key, while the attacker holds the private key needed to decrypt the files encrypted with the public key. Files are encrypted using the SOSEMANUK stream cipher, while ECDH is used to create the SOSEMANUK key. Expect malicious actors to upgrade malware to expand breach scopeESXi is widely used in enterprise settings for server virtualization, the researchers explained. Therefore, it’s a popular target for ransomware attacks. Because it is a means to swiftly spread the ransomware to many devices, they add, organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.“As more organizations improve their security by adopting multi-factor authentication with biometrics, they are effectively locking the front door that has been the vulnerability of choice for hackers,” says John Gunn, CEO of Token. “That doesn’t mean bad actors will go away. They will instead shift their methods to attacks such as this.” Related content feature How to choose the right network security monitoring product Network security monitoring software is essential because it enhances security by detecting threats in real time and ensures operational efficiency by minimizing downtime and optimizing performance. Here’s what to look for. By Linda Rosencrance May 27, 2024 8 mins Security Monitoring Software Data and Information Security Network Security opinion The art of saying no is a powerful tool for the CISO in the era of AI Who says you need to rush to adopt every innovation that comes along just because everyone is doing it? Sometimes hitting the brakes on emerging tech is the best course for a business. By Clarke Rodgers May 27, 2024 5 mins CSO and CISO Security Practices IT Leadership news Chrome patches fourth zero-day flaw this month Brings the total number of Chrome zero-day flaws patched in 2024 to eight. By Lucian Constantin May 27, 2024 3 mins Browser Security Zero-day vulnerability Vulnerabilities news Kroll cyber threat landscape report: AI assists attackers AI is simplifying all sorts of tasks — and not always for the better: cybercriminals, too, are adopting it. By Lynn Greiner May 24, 2024 4 mins Threat and Vulnerability Management Cybercrime Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe