New Linux-Based Ransomware 'Cheerscrypt' Targets EXSi Devices

Trend Micro -

New Linux-Based Ransomware Cheerscrypt Targets EXSi Devices


Trend Micro Research detected “Cheerscrypt”, a new Linux-based ransomware variant that compromises EXSi servers. We discuss our initial findings on in this report.

By: Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, Warren Sto.Tomas May 25, 2022 Read time:  ( words)

We recently observed multiple Linux-based ransomware detections that malicious actors launched to target VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. We encountered Cheerscrypt, a new ransomware family, that has been targeting a customer’s EXSi server used to manage VMware files.

In the past, ESXi servers were also attacked by other known ransomware families such as LockBit, Hive, and RansomEXX as an efficient way to infect many  computers with ransomware.

This blog entry provides an overview of Cheerscrypt’s infection routine based on the information we have gathered so far.

Infection routine

The ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection routine.


Read More: