For those not in the know, ESXi servers are bare-metal hypervisors for creating and running several virtual machines that share the same hard drive storage.
Dubbed Cheerscrypt, the bad app is following in the footsteps of other ransomware programs — such as LockBit, Hive, and RansomEXX — that have found ESXi an efficient way to infect many computers at once with malicious payloads.
Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, said that most organisations operate using VMware virtual machines. "It makes the job of ransomware attackers far easier because they can encrypt one server — the VMware server — and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once."
"Most VM shops use some sort of VM backup product to back up all guest servers, so finding and deleting or corrupting one backup repository kills the backup image for all the hosted guest servers all at once," Grimes said.
The crims behind Cheerscrypt use a "double extortion" technique to extract money from its targets, the researchers explain. "Security Alert!!!" the attackers' ransom message declares. "We hacked your company successfully. All files have been stolen and encrypted by us. If you want to restore your files or avoid file leaks, please contact us."