Linux-based Ransomware Cheerscrypt Attacks VMware ESXi Servers

There has been an appearance in the cybercrime universe of a new ransomware attack dubbed ‘Cheers.’ It targets the VMware ESXi servers that have been found to be vulnerable.

There are many large organizations and large companies in the world that use virtualization platforms such as VMware ESXi, making their encryption a serious disruption to the business operations of the companies using them.

The VMware ESXi platform has been targeted by many ransomware groups in the past, with the most recent ones being:-


Among the new additions to the group is ‘Cheerscrypt’ ransomware (aka Cheers). Security analysts at Trend Micro discovered the brand-new ransomware.

Cheers: Infection & Encryption

It is possible for the threat actors to launch the encryptor automatically when a VMware ESXi server is compromised. 

After this is done, the encrypted virtual machines are then enumerated using the encryption algorithm. A command similar to esxcli is then used to terminate the virtual machines.

The encryption process specifically aims at looking for files that have the following extensions that are listed below:-


In addition to snapshots and log files, ESXi includes virtual disks, paging files, and swap files. In order to identify each encrypted file as a Cheers file, the extension “.Cheers” will be added to the file name.

It may not matter whether the file has been encrypted or not once it has been renamed. However, the file will still be renamed if access permissions have been denied.

In order to encrypt files, the ransomware employs the SOSEMANUK stream cipher. To generate the SOSEMANUK key, it uses the

Read more

Explore the site

More from the blog

Latest News