Recently, a spike in malicious actors targeting VMware ESXi servers with Linux-based ransomware has been observed by security experts. ESXi is a bare-metal hypervisor used to create and operate many virtual machines (VMs) that share a single hard drive. As per the information that has been revealed, an ESXi server used by a client to store and administer VMware data has been targeted by Cheerscrypt, a new ransomware family that is gaining popularity. Cheerscrypt’s infection process is summarized further down, using the information that has been revealed so far.
When the ransomware begins its Infection routine, it needs an input argument identifying the path to encrypt. ESXCLI is used to terminate VM processes, after which the ransomware is able to encrypt VMware data. As per the details described in the ransom message, the Cheerscrypt ransomware family uses the twofold extortion method, which has been used by several well-known ransomware families.
However, the ransomware renames the files it intends to encrypt first, before encrypting them completely. As a result, encryption cannot begin if the file’s permissions have not been given. A ransom note, named “How to Restore Your Files.txt”, is then dropped for each directory with encrypted data. The malware looks for log files and VMware-related files with the following extensions:
- .log
- .vmdk
- .vmem
- .vswp
- .vmsn
The executable file of Cheerscrypt includes the public key of a key pair that consists also of a private key, owned by the malicious actor.
Server virtualization using ESXi is a common practice in the workplace, therefore, this is a very desirable target for Ransomware attacks. Cybercriminals have a history of exploiting ESXi servers to distribute ransomware since it’s a simple way to infect a large number of computers. Ransomware families such as LockBit, Hive, and RansomEXX have previously targeted ESXi servers as an effective method of spreading ransomware to a large number of devices. Malicious actors will, thus, continue to improve their malware arsenals and attempt to compromise as many systems and platforms as possible in order to profit financially.
Safety recommendations
Companies need to take a proactive approach to cybersecurity in order to prosper in an ever-changing threat environment. They need to set up security frameworks that systematically distribute resources depending on an enterprise’s needs in order to defend systems against similar threats.
The security guidelines created by the Center of Internet Security and the National Institute of Standards and Technology can be used as a foundation when building the organization’s own cybersecurity plans. The frameworks published there allow security teams to limit risks and decrease exposure to attackers, while also saving time and adopting best practices.
Leave a Comment