We’re at it again! A new ransomware strain has been discovered that targets VMware ESXi

PublishedPosted on
We're at it again! A new ransomware strain has been discovered that targets VMware ESXi

Recently, a new type of ransomware called Cheers, a Linux-based ransomware targeting the VMware ESXi platform, has emerged in the cybercrime world.

VMware ESXi is a popular virtualization platform used by enterprise users around the world, and its high prevalence has made it a popular target for cybercriminal groups, and recently several notorious LockBit, Hive, RansomEXX, and RansomX Groups have emerged with ransomware targeting VMware, including Hive and RansomEXX.

When attacking VMware ESXi servers, Cheers launches an encryptor that automatically enumerates running virtual machines and shuts them down using the following esxcli command

When encrypting files, Cheers specifically looks for ESXi snapshots, log files, swap files, page files, and files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions associated with virtual disks, each with a “. Cheers” extension. Since the file renaming occurs before encryption, if access to the renamed file is denied, the file will remain renamed even if encryption fails.

esxcli vm process kill –type=force –world-id=$(esxcli vm process list|grep ‘World ID’|awk ‘{print $3}’)

Recently, a new type of ransomware called “Cheers,” a Linux-based ransomware targeting the VMware ESXi platform, has emerged in the cybercrime arena.

Image

VMware ESXi is a popular virtualization platform used by enterprise users around the world, and its high prevalence has made it a popular target for cybercriminal groups, and recently several notorious LockBit, Hive, RansomEXX, and RansomX Groups have emerged with ransomware targeting VMware, including Hive and RansomEXX.

When attacking VMware ESXi servers, Cheers automatically enumerates running virtual machines and activates an encryption device that shuts down using the following esxcli command.

Image

When encrypting files, Cheers specifically looks for ESXi snapshots, log files, swap files, page files, and files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions associated with the virtual disk, each with a “.Cheers” suffix suffix, and since file renaming occurs before encryption, if access to the file after renaming is denied, the file will be renamed even if encryption fails.

How can VMware ESXi users protect themselves against ransomware?

Since it is difficult to completely avoid ransomware attacks, it is best to use backups to keep your data safe CloudStart enables comprehensive data protection for the VMware cloud architecture platform, extending to application systems and providing a comprehensive data protection solution for VMware ESXi. CloudStart provides virtual machine backup solutions for VMware that effectively protect data centers from backup and recovery.

Versatile Features to Improve Backup Efficiency

1.Multiple functions to enhance backup efficiency

Intelligent backup strategy, 4 backup modes: full backup, incremental backup, differential backup, and permanent incremental backup; 5 time strategies: daily, weekly, monthly, rolling, one-time, and in the meantime, backup can be achieved without installing agent plug-ins Can effectively reduce operation and maintenance costs, deep and effective data extraction and duplicate data compression functions, effectively save storage space, LAN free transfer mode improvement LAN free transfer mode improves transfer efficiency and minimizes impact on production business system.

2. Immediate recovery function to ensure data safety

CloudKi performs secondary recovery once VMware virtual machines and their data are backed up. Since the backup data is not affected, the interruption of mission-critical operations due to disasters or failures is minimized, ensuring the safety of backup data and creating a foundation for backup data verification.

3. Unique backup and ransomware countermeasure functions

The backup data of the virtual server backup solution is protected by encrypting backup data with bank-level algorithms. Vinchin’s proprietary encrypted backup technology also monitors and protects the lifecycle of backup data. If ransomware or malware attempts to modify the backup data, access is completely denied, further protecting user data security.

4. Dual protection for off-site disaster recovery

In the event of backup data loss, having a business-critical backup copy is critical to ensure data recovery. Transferring locally backed up data to an off-site backup system and storing it as an off-site copy effectively prevents data loss in the event of a total disaster at the local data center.

To keep your data safe and leave no room for cybercrime, all VMware users are encouraged to schedule instant vm backup solutions as soon as possible. 60-day free trial is available here.

Leave a Reply