Researchers with Trend Micro have discovered a new Linux-based ransomware, called Cheerscrypt, that target ESXi devices and was derived from the recently leaked Babuk source code. The researchers found similarities between Cheerscrypt and the Babuk ransomware (specifically the version of ESXi targeted).

Once infected, Cheerscrypt notifies victims and threatens to sell data to their “opponent” and cyber criminals if the ransom is not paid. Once executed, the malicious application terminates VM processes using the esxcli command to ensure the ransomware can successfully encrypt VMware-related files and uses the double extortion scheme to coerce its victims to pay the ransom. The ransomware seeks out log and VMware-related files with the extensions .log, .vmdk, .vmem, .vswp and .vmsn and then renames them with a .Cheers extension. Once the files are encrypted, it displays a message in the console that contains information about the newly-encrypted files. 

According to the Trend Micro researchers, “The ransomware uses SOSEMANUK stream cipher to encrypt files and ECDH to generate the SOSEMANUK key.” They continue, “For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux’s /dev/urandom.” Finally, the researchers state, “It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor’s private key is known.”