Chris Swagler | May 31st, 2022

New ransomware called “Cheers” or “Cheerscrypt” has emerged on the cyber threat landscape, beginning its operations by targeting vulnerable VMware ESXi servers. VMware ESXi, a virtualization platform, is used by large global companies and encrypting them causes severe disruption to a company’s operations. Many ransomware groups have targeted the VMware ESXi platform, with LockBit and Hive being the most recent additions.

The threat actors launch the encryptor, once a VMware ESXi server is compromised, to automatically enumerate and shut down any running virtual machines using the following esxcli command: esxcli vm process kill -type=force -world-id=$(esxcli vm process list|grep ‘World ID’ |awk ‘{print $3}’). When encrypting files, it searches for files with the following extensions: .log, .vmdk, .vmem, .vswp, and .vmsn extensions. The “.Cheers” extension is attached to the filename of each encrypted file. Renaming files occurs before encryption meaning that if access permission to rename a file is denied, the encryption will fail, however, the file will still be renamed. The encryption scheme generates a secret (SOSEMANUK stream cipher) key from a pair of public and private keys and embeds it in each encrypted file. To prevent recovery, the private key used to generate the secret key is deleted.


The ransomware will write ransom notes named “How To Restore Your File.txt” in each folder while scanning for files to encrypt. These ransom notes contain details on the victim’s files and links to the ransomware operation’s Tor data leak sites and ransom negotiation sites. Each victim has their own Tor site for negotiations; however, the Onion URL for the data leak site is static. The new operation looks to have launched in March 2022. Even though a Linux ransomware form has been discovered so far, a Windows variant is likely available.

According to BleepingComputer, they discovered the Cheers ransomware operation’s data leak and victim extortion Onion site, which currently names four victims. However, the existence of the portal indicates that Cheers is exfiltrating data during the attacks and using the stolen data in double extortion attacks. Because the victims are semi-large size, it appears that the new group wants to target companies that can cover larger demands. The threat actors give their victims three days to access the Tor site to negotiate the ransom payment in exchange for a decryption key based on the ransom notes examined. The threat actors say that if victims do not pay a ransom, they will sell the stolen data to other criminals. If no one wants to buy the data, it’s exposed to clients, contractors, data protection authorities, competitors, and other threat actors when published on the leak portal.

With more ransomware groups, like Cheers, LockBit, and Hive, targeting the VMware ESXi platform to cause business disruptions, it’s critical that high-profile companies remain alert on the latest threat landscape and regularly update their data network security infrastructure. At SpearTip, we perform advisory services to quickly identify the risks that matter in real-world attacks and offer gap analysis, penetration testing, and tabletop exercises. SpearTip assesses companies’ external security controls by simulating attacks from the public internet and identifying vulnerabilities that allow SpearTip access to their internal environment. Our Internal Security Assessment (ISA) simulates attacks from an internal perspective on the local network, probing all internal systems for vulnerabilities. It allows companies to strengthen internal security controls and mitigate potential damage from a compromise. Our tabletop exercises are designed based on the most current tactics, techniques, and procedures employed by threat actors and identify key findings to strengthen companies’ ongoing security postures.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.