Cheers ransomware hits VMware ESXi systems

Now we can say extortionware has jumped the shark


Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

"ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

Yehuda Rosen, senior software engineer at cybersecurity company nVisium, said an ESXi server "is so much more than just a server."

"It can host dozens of virtualized machines, which increases its importance within an organization's IT environment, and therefore also dramatically raises the chances that an organization will pay the ransom to recover their servers," Rosen told The Register. "If an attacker can hold multiple [virtual] servers ransom by infecting one machine, that decreases their own workload and increases the potential payoff."

The latest ransomware targeting VMware's hypervisor is one Trend's researchers are calling Cheerscrypt – or simply Cheers – and like an increasing number of outbreaks, comes with a double-extortion threat aimed at incentivizing victims to pay the demanded ransom.

ransomware attaack

Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware

READ MORE

In the ransom note that pops up on a victim's screens, the cybercriminals give the organization three days to contact them. Otherwise, the group will publicly release data exfiltrated from the compromised box, and increase the amount of the ransom.

To pull this off, it appears miscreants have to achieve privileged shell access (disabled by default) to the targeted ESXi hypervisor server, or otherwise gain the ability to run commands on the host. Once uploaded to and running on the ESXi server in a Linux environment, the Cheers ransomware runs a command to terminate all the running virtual machine (VM) processes using an esxcli command, and runs the code to encrypt data on the box. "The termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files," Team Trend wrote.

The ransomware seeks out log files and VMware-related files that have the extensions .log, .vmdk, .vmem, .vswp, and .vmsn. For every directory it encrypts, the malware will leave a ransomware noted named "How to Restore Your Files.txt." Files that have been successfully encrypted are given the .Cheers extension.

In an odd twist, the ransomware first renames the files it plans to encrypt before actually encrypting them, the researcher wrote, adding that "thus, if the access permission for the file was not granted, it cannot proceed with the actual encryption."

Once the encryption is completed, the ransomware displays statistics of what it's done, from the number of encrypted files and that of files it didn't encrypt to the amount of the encrypted data.

The Cheerscrypt executable file includes the public half of a public-private key pair; the malware's masterminds keep hold of the private half to themselves. The program uses the SOSEMANUK stream cipher to encrypt the compromised machine's data. Here's the file-scrambling process, according to Trend:

For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux’s /dev/urandom. It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor’s private key is known.

Organizations need to be proactive when protecting systems against ransomware and other attacks, they wrote. That includes embracing such security frameworks as those from the Center of Internet Security and the National Institute of Standards and Technology, which they said "help security teams to mitigate risks and minimize exposure to threats. Adopting the best practices discussed in their respective frameworks can save organizations the time and effort when they customize their own."

Archie Agarwal, founder and CEO of cybersecurity firm ThreatModeler, said companies need to be clear-eyed in their thinking.

"Just as attackers do a risk/reward calculation to determine the attack surface of choice, so should defenders do a cost/benefit analysis on mitigation," Agarwal told The Register. "If ransomware is a vector organizations fear, should they attempt to block all the entry vectors that ransomware – like water – seeks out? Or should organizations invest in data retention and replication scheme that prevents the ransomware's attack from impacting them?" ®

Broader topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022