Cheerscrypt

Malware updated 3 months ago (2024-07-22T15:17:42.110Z)

Download STIX

Preview STIX

Cheerscrypt is a malicious software (malware) that was discovered in May 2022, specifically designed to target ESXi servers, which are extensively used by enterprises for server virtualization. This discovery was made following the reporting of DarkSide ransomware variants in May 2021. Cheerscrypt, like other malware, can infiltrate systems through suspicious downloads, emails, or websites, and once inside, it can disrupt operations, steal personal data, or even hold your data hostage for ransom. The analysis suggests that Cheerscrypt and another malware called ESXi Args are likely based on leaked Babuk source code, which has been previously used in other ESXi ransomware campaigns, including Quantum/Dagon group’s PrideLocker encryptor. Interestingly, the ransom notes from Cheerscrypt and ESXi Args, circulated between October 2022 and February 2023, share striking similarities in their wording. However, differences in encryption methods have raised questions about whether they represent new variants or just share a common Babuk codebase. Cheerscrypt gained notoriety in early 2022 and is part of an alarming trend of ransomware attacks targeting ESXi servers. Other recent examples include ESXiArgs and Luna. These attacks underscore the escalating threat landscape for enterprise server infrastructure and highlight the need for robust cybersecurity measures to protect against such threats.

Description last updated: 2024-07-22T15:16:41.427Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Esxi

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The DarkSide Threat Actor is associated with Cheerscrypt. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	Unspecified	2

Source Document References

Information about the Cheerscrypt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	3 months ago	From RA Group to RA World: Evolution of a Ransomware Group
CERT-EU	2 years ago	ESXiArgs Ransomware: Targeting VMware ESXi Servers \| SecureReading
CERT-EU	2 years ago	Royal Ransomware expands attacks by targeting Linux ESXi servers – Cyber Security Review
Securityaffairs	2 years ago	Over 500 ESXiArgs Ransomware infections in one day in Europe
CERT-EU	a year ago	New MichaelKors Ransomware Targets ESXi and Linux
Trend Micro	2 years ago	Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers