New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices
Published: 2022-05-25 · Archived: 2026-04-05 19:22:09 UTC
Ransomware
New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to
Leaked Babuk Source Code
New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers,
was derived from the leaked Babuk source code. We discuss our analysis in this report.
By: Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, Warren Sto.Tomas May 25, 2022 Read time: 3 min
(900 words)
We recently discovered that Cheerscrypt, the new Linux-based ransomware that we detected in multiple attacks
targeting ESXi servers, was based on the leaked Babuk source codeopen on a new tab. Upon scrutiny, we found
similarities between Cheerscrypt and the Linux version of the Babuk ransomware, specifically its ESXi version.
The base code of Cheerscrypt appears to be derived from the Babuk source code, but modified and customized to
suit the malicious actor’s ransomware goals.
This blog entry discusses our findings and provides an overview of Cheerscrypt’s infection routine based on the
information we have gathered so far.
Brief background
Over the past few weeks, we observed several Linux-based ransomware detections that malicious actors launched
to target VMware ESXiopen on a new tab servers, a bare-metal hypervisor for creating and running several virtual
machines (VMs) that share the same hard drive storage. We encountered Cheerscrypt, a new ransomware family
that has been targeting a customer’s EXSi server used to manage VMware files, during this period.
In the past, ESXi servers were also attacked by other known ransomware families such as LockBitnews article,
Hivenews article, and RansomEXXnews article as an efficient way to infect many  computers with ransomware.
This blog entry provides an overview of Cheerscrypt’s infection routine based on the information we have
gathered so far.
Infection routine
The ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection
routine.
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 1 of 7

Figure 1. Ransomware command line
Upon execution, it implements the following command to terminate VM processes using ESXCLIopen on a new
tab:
“esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print
$3}’)”
The termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files.
Similar to other infamous ransomware families, Cheerscrypt employs the double extortionnews- cybercrime-and-digital-threats scheme to coerce its victim to pay the ransom, as shown on their ransom note in Figure 2.
Figure 2. Cheerscrypt’s ransom note
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 2 of 7

Successfully encrypted files are renamed with the .Cheers extension. However, the ransomware first renames the
files it will encrypt before encrypting the files. Thus, if the access permission for the file was not granted, it cannot
proceed with the actual encryption.
Figure 3. Cheerscrypt renames the sample before encryption.
For each directory it encrypts, it will drop the ransom note named, “How to Restore Your Files.txt”.  It seeks out
log files and VMware-related files with the following extensions:
.log
.vmdk
.vmem
.vswp
.vmsn
After successful encryption, it displays the following console that contains the data statistics of its routine:
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 3 of 7

Figure 4. Console displayed after encryption
Encryption algorithm
Cheerscrypt’s executable file contains the public key  of a matching key pair with the private key being held by
the malicious actor.  The ransomware uses SOSEMANUKopen on a new tab stream cipher to encrypt files and
ECDHopen on a new tab to generate the SOSEMANUK key. For each file to encrypt, it generates an ECDH
public-private key pair on the machine through Linux’s /dev/urandom. It then uses its embedded public key and
the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file,
it will append the generated public key to it. Since the generated private key is not saved, one cannot use the
embedded public key with the generated private key to produce the secret key. Therefore, decryption is only
possible if the malicious actor’s private key is known. The infection chain is shown on Figure 5.
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 4 of 7

Figure 5. Cheerscrypt’s encryption algorithm
New findings: Cheerscrypt linked to Babuk
Unlike Cheerscrypt, Babuk’s malware version used to compromise ESXi servers ensured that the files were
encrypted before it renamed the target files. This goes to show that despite the Babuk ransomware operator’s
announcement of their retirementopen on a new tab — after claiming they already achieved their goals — their
impact can still affect different organizations when other malicious actors build upon the source code they leaked.
We provide Babuk’s source code for the malware variant specific to ESXi servers in Figure 6. In Figure 7, we can
see that Cheerscrypt’s source code was based on Babuk’s source code that was leaked before.
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 5 of 7

Figure 6. Babuk’s source code for the malware variant used to target ESXi servers
Figure 7. Cheerscrypt’s source code with similarities to Babuk’s source code
Conclusion
ESXi is widely used in enterprise settings for server virtualization. It is therefore a popular target for ransomware
attacks. As mentioned, compromising ESXi servers has been a scheme used by some notorious cybercriminal
groups because it is a means to swiftly spread the ransomware to many devices. Organizations should thus expect
malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for
monetary gain.
Recommendations 
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 6 of 7

A proactive stance that ensures solid cybersecurity defenses against modern ransomware threats is crucial for
organizations to thrive in an ever-changing threat landscape. To protect systems against similar attacks,
organizations can establish security frameworks that systematically allocate resources based on an enterprise’s
needs. 
Organizations can benefit from following the security frameworks established by the Center of Internet
Securityopen on a new tab and the National Institute of Standards and Technologyopen on a new tab when
developing  their own cybersecurity strategies. The frameworks they created help security teams to mitigate risks
and minimize exposure to threats. Adopting the best practices discussed in their respective frameworks can save
organizations the time and effort when they customize their own. Their frameworks guide organizations through
the entire process of planning while providing suggestions on measures that need to be established first.
Tags
Source: https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Page 7 of 7