I recently outlined the many methods of ransomware infection to showcase the ways ransomware can gain a foothold. Cheerscrypt adds yet another: VMware ESXi servers, which many organizations rely on to host virtual machines (VMs) for many different functions. Much like RDP Ransomware, VM ransomware targets the host so that the damage spreads exponentially to all guests. Cheerscrypt encrypts the host’s hard drive, thereby encrypting all VMs sharing that drive in one fell swoop.
Linux and Double Extortion
In my previous articles on Windows vs. Linux ransomware and the major operating systems targeted, I warned that although Linux machines are a tiny percentage of targets, its rise as a prominent target is inevitable.
Cheerscrypt unfortunately validates my point as a uniquely Linux ransomware. As is common with Linux variants, it poses an extra threat to victims in the form of double extortion. Not only will Cheerscrypt encrypt an ESXi server’s hard drive, but it threatens to share the victim’s data across the public sphere if their ransom is not paid.
Breakdown of the Attack
TrendMicro engineers captured Cheerscrypt in their lab soon after discovering it. Their reverse engineering effort was very illuminating.
Cheerscrypt is launched from a terminal with a path to the encryption target manually fed to it. It first terminates all running VMs via the ESXi server’s ESXCLId terminal:
“esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print $3}’)”
A VM’s files are locked while the VM is running, so terminating all VMs renders their resources simultaneously vulnerable to encryption. Once the deed is done, figuring out which files have been compromised is a challenge all its own because Cheerscrypt renames each encrypted file, then adds a .Cheers extension to it, as demonstrated in the script shown in Figure 1:
Note that the script prints the target’s name to the terminal via a printf command, then executes a couple of nested if statements to copy, concatenate, and rename each file not locked by a running VM process.
Cheerscrypt targets certain types of files in particular, including log files (which is a great way to sabotage the ensuing forensic investigation). It specifically seeks out any file with the extension .log, .vmdk, .vmem, .vswp, or .vmsn.
A simple text file named “How to Restore Your Files.txt” is placed in every directory in which data is encrypted, warning the victim that their data will not only remain encrypted forever if the ransom isn’t paid, but will be leaked online as well.
How to Protect Yourself
Cheerscrypt is so effective because most organizations rely on a single backup repository for all guest images; therefore the attack need only sabotage the one repository to render disaster recovery impossible.
This is why we recommend a ransomware backup strategy built on redundancy, ideally adhering to the 3-2-1 backup method. Our page on disaster recovery talks about ESXi servers in particular. You should also have a solid passive defense strategy and be aware of the all the current ransomware prevention tools. Our How to Prevent Ransomware cheat sheet can help there.
Finally, for a comprehensive deep dive, get our book “Ransomware: Understand. Prevent. Recover.”