December 8, 2023

A new Linux-based ransomware has been found targeting VMware servers using the ESXi hypervisor it developed for deploying virtual computers.

The new ransomware has been dubbed “Cheerscrypt.” The ransomware encrypts VMware-related files and shares some similarities with other ransomware families such as LockBit, Hive, and RansomEXX, which have previously targeted ESXi servers in the past.


Once gained access to an ESXi server, Cheersscrypt seeks out files with the extensions .log, .vmdk, .vmem, .vswp, and .vmsn connected to ESXi snapshots, log files, swap files, paging files, and virtual disks. It then adds. Cheers to the end of the file names before encrypting them.

Cheerscrypt, as is increasingly common with ransomware over the last 12 to 18 months, is double-tap ransomware: Not only do those behind the ransomware demand payment for a decryption key, but they also threaten to release stolen data if the ransom is not paid.

In a ransom note, the Cheerscrypt hackers, follow up their “Cheers!” message by saying the victim should contact them within three days, or they will expose some of the stolen data and increase the amount of ransom demanded. Along with warnings not to try to decrypt the files, the hackers then say that if they are not contacted, the stolen data will be sold to opponents or criminals.


To reduce the risk of an attack, a proactive stance that ensures solid cybersecurity defenses against modern ransomware threats is crucial for organizations to thrive in an ever-changing threat landscape. Organizations, they add, should establish security frameworks, and adopt best practices.

Cheerscrypt Encryption Algorithm

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.