Trend Micro security analysts have discovered a new Linux-based ransomware that targets the VMware ESXi devices. Currently, the threat actors behind those attacks are unknown. However, some speculations point out the threat actors might be related to or a rebranding of the NightSky ransomware gang.
Starts with killing VM processes
After compromising a target VMware ESXi server, the threat actors run the command line “./chrscrypt /path/xxx/yyy” to specify the path to be encrypted. Then the infection routine begins. The first step of the infection routine is terminating the VM processes by utilizing ESXCLI by implementing the following command line:
esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print $3}’)This step is required to make sure that the VMware-related files are encrypted. The files that have been encrypted are renamed get “.Cheers” extension; which is actually done before the encryption process starts. This means if the ransomware fails to rename a file with the new extension, it will now proceed into encrypting the file as well. It is very strange behavior for ransomware. After the target files are encrypted, it creates the ransom note named “How to Restore Your Files.txt”, then follows up with statistics of the process.
« Cheerscrypt’s executable file contains the public key of a matching key pair with the private key being held by the malicious actor. The ransomware uses SOSEMANUK stream cipher to encrypt files and ECDH to generate the SOSEMANUK key. For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux’s /dev/urandom. It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor’s private key is known »
The threat actors behind the Cheerscrypt ransomware also exfilter the data from target systems in addition to encrypting them. That means the gang threatens the victims by publishing their sensitive data as well; simply a double-extortion scheme.