Cheer Attacks on Linux-based Ransomware Devices for VMware ESXi

A new ransomware strain known as “Cheers” has been discovered focused towards VMware ESXi systems. Cheers is a Linux-based ransomware that is launched against VMware ESXi servers, which are bare-metal hypervisors that host virtual machines and are frequently utilized by large corporations and organizations. Also, check another reliable and best Ransomware Protection Solution.

Ransomware attacks against VMware ESXi systems have been on the rise recently, with LockBit and Hive being the most well-known. VMware is the most popular virtualization platform, with over 500,000 clients around the world, and cyber attacks against it have infected multiple virtualized computers and connected devices, extorting large sums of money.

How it works?

After Cheers terminates the VMware ESXi server with following command line, it encrypts files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions and renames the successfully encrypted flies as .Cheers extension. Those extensions are related to ESXi snapshots, log files, swap files, paging files and virtual disks.

“esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print $3}’)”

Cheers renames files before encryption, which means that if the access permission for renaming is denied, the encryption will fail. The encryption uses a pair of ECDH public and private keys owned by the thieves to generate a secret (SOSEMANUK) key and embed it in the encrypted files using Linux’s /dev/urandom. The public key used to generate the secret key will not be preserved, and it will not be able to be combined with the private key to generate a secret key. As a result, decryption is dependent on the criminal gang that is behind it.

According to BleepingComputer’s research, a technology website, the new ransomware family will arrive in March 2022.

Cheers extorts and promotes victims on the data leak site Onion, which now has four victims. They are semi-large corporations that have been given three days to visit the specified site in exchange for the secret key, or they have been threatened with leaking or reselling the stolen files to other crooks.

What options are available to VMware ESXi users?

How can ransomware be avoided?

Because network penetration is inevitable, virtualization servers are just the final target for attackers. For virtualization users, effective data backup and a well-organized disaster recovery practice are important. Vinchin Backup & Recovery is a third-party data protection solution for virtualizations, including VMware, that provides efficient backup on cloud and complete data recovery.

Efficient VMware Backup: You may tailor your backup methods for your business using specific HotAdd transport, CBT technology, and optional backup procedures. The solution includes backup storage protection, which protects vmware backup saved on the Vinchin server by automatically denying any unwanted access that could lead to ransomware.

Well-organized Disaster Recovery: You are permitted to construct a DR center with offsite backup copies of the software by coping the backups to a remote site in order to reduce the economic impact of data loss. To maximize their safety and availability, the copies are compressed, encrypted, and sent across a proprietary network. In the case of a system breakdown or other disaster, the Instant Recovery solution gets the target VMware VM up and running in 15 seconds, allowing for almost seamless business continuity.

Download the 60-day free full-featured Vinchin Backup & Recovery to get more sophisticated VMware protection features and get a disaster recovery plan in place.