{
	"id": "d7ebc219-b880-4f4d-a061-bf9fb676d07d",
	"created_at": "2026-04-06T00:15:11.355045Z",
	"updated_at": "2026-04-10T03:20:42.261938Z",
	"deleted_at": null,
	"sha1_hash": "a4c76293b665b2e59948478b48daffff1269be3f",
	"title": "New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 645509,
	"plain_text": "New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\r\nPublished: 2022-05-25 · Archived: 2026-04-05 19:22:09 UTC\r\nRansomware\r\nNew Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to\r\nLeaked Babuk Source Code\r\nNew findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers,\r\nwas derived from the leaked Babuk source code. We discuss our analysis in this report.\r\nBy: Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, Warren Sto.Tomas May 25, 2022 Read time: 3 min\r\n(900 words)\r\nWe recently discovered that Cheerscrypt, the new Linux-based ransomware that we detected in multiple attacks\r\ntargeting ESXi servers, was based on the leaked Babuk source codeopen on a new tab. Upon scrutiny, we found\r\nsimilarities between Cheerscrypt and the Linux version of the Babuk ransomware, specifically its ESXi version.\r\nThe base code of Cheerscrypt appears to be derived from the Babuk source code, but modified and customized to\r\nsuit the malicious actor’s ransomware goals.\r\nThis blog entry discusses our findings and provides an overview of Cheerscrypt’s infection routine based on the\r\ninformation we have gathered so far.\r\nBrief background\r\nOver the past few weeks, we observed several Linux-based ransomware detections that malicious actors launched\r\nto target VMware ESXiopen on a new tab servers, a bare-metal hypervisor for creating and running several virtual\r\nmachines (VMs) that share the same hard drive storage. We encountered Cheerscrypt, a new ransomware family\r\nthat has been targeting a customer’s EXSi server used to manage VMware files, during this period.\r\nIn the past, ESXi servers were also attacked by other known ransomware families such as LockBitnews article,\r\nHivenews article, and RansomEXXnews article as an efficient way to infect many  computers with ransomware.\r\nThis blog entry provides an overview of Cheerscrypt’s infection routine based on the information we have\r\ngathered so far.\r\nInfection routine\r\nThe ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection\r\nroutine.\r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 1 of 7\n\nFigure 1. Ransomware command line\r\nUpon execution, it implements the following command to terminate VM processes using ESXCLIopen on a new\r\ntab:\r\n“esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print\r\n$3}’)”\r\nThe termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files.\r\nSimilar to other infamous ransomware families, Cheerscrypt employs the double extortionnews- cybercrime-and-digital-threats scheme to coerce its victim to pay the ransom, as shown on their ransom note in Figure 2.\r\nFigure 2. Cheerscrypt’s ransom note\r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 2 of 7\n\nSuccessfully encrypted files are renamed with the .Cheers extension. However, the ransomware first renames the\r\nfiles it will encrypt before encrypting the files. Thus, if the access permission for the file was not granted, it cannot\r\nproceed with the actual encryption.\r\nFigure 3. Cheerscrypt renames the sample before encryption.\r\nFor each directory it encrypts, it will drop the ransom note named, “How to Restore Your Files.txt”.  It seeks out\r\nlog files and VMware-related files with the following extensions:\r\n.log\r\n.vmdk\r\n.vmem\r\n.vswp\r\n.vmsn\r\nAfter successful encryption, it displays the following console that contains the data statistics of its routine:\r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 3 of 7\n\nFigure 4. Console displayed after encryption\r\nEncryption algorithm\r\nCheerscrypt’s executable file contains the public key  of a matching key pair with the private key being held by\r\nthe malicious actor.  The ransomware uses SOSEMANUKopen on a new tab stream cipher to encrypt files and\r\nECDHopen on a new tab to generate the SOSEMANUK key. For each file to encrypt, it generates an ECDH\r\npublic-private key pair on the machine through Linux’s /dev/urandom. It then uses its embedded public key and\r\nthe generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file,\r\nit will append the generated public key to it. Since the generated private key is not saved, one cannot use the\r\nembedded public key with the generated private key to produce the secret key. Therefore, decryption is only\r\npossible if the malicious actor’s private key is known. The infection chain is shown on Figure 5.\r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 4 of 7\n\nFigure 5. Cheerscrypt’s encryption algorithm\r\nNew findings: Cheerscrypt linked to Babuk\r\nUnlike Cheerscrypt, Babuk’s malware version used to compromise ESXi servers ensured that the files were\r\nencrypted before it renamed the target files. This goes to show that despite the Babuk ransomware operator’s\r\nannouncement of their retirementopen on a new tab — after claiming they already achieved their goals — their\r\nimpact can still affect different organizations when other malicious actors build upon the source code they leaked.\r\nWe provide Babuk’s source code for the malware variant specific to ESXi servers in Figure 6. In Figure 7, we can\r\nsee that Cheerscrypt’s source code was based on Babuk’s source code that was leaked before.\r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 5 of 7\n\nFigure 6. Babuk’s source code for the malware variant used to target ESXi servers\r\nFigure 7. Cheerscrypt’s source code with similarities to Babuk’s source code\r\nConclusion\r\nESXi is widely used in enterprise settings for server virtualization. It is therefore a popular target for ransomware\r\nattacks. As mentioned, compromising ESXi servers has been a scheme used by some notorious cybercriminal\r\ngroups because it is a means to swiftly spread the ransomware to many devices. Organizations should thus expect\r\nmalicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for\r\nmonetary gain.\r\nRecommendations \r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 6 of 7\n\nA proactive stance that ensures solid cybersecurity defenses against modern ransomware threats is crucial for\r\norganizations to thrive in an ever-changing threat landscape. To protect systems against similar attacks,\r\norganizations can establish security frameworks that systematically allocate resources based on an enterprise’s\r\nneeds. \r\nOrganizations can benefit from following the security frameworks established by the Center of Internet\r\nSecurityopen on a new tab and the National Institute of Standards and Technologyopen on a new tab when\r\ndeveloping  their own cybersecurity strategies. The frameworks they created help security teams to mitigate risks\r\nand minimize exposure to threats. Adopting the best practices discussed in their respective frameworks can save\r\norganizations the time and effort when they customize their own. Their frameworks guide organizations through\r\nthe entire process of planning while providing suggestions on measures that need to be established first.\r\nTags\r\nSource: https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nhttps://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html"
	],
	"report_names": [
		"new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434511,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4c76293b665b2e59948478b48daffff1269be3f.pdf",
		"text": "https://archive.orkl.eu/a4c76293b665b2e59948478b48daffff1269be3f.txt",
		"img": "https://archive.orkl.eu/a4c76293b665b2e59948478b48daffff1269be3f.jpg"
	}
}