Cheers
Parsing : Enabled
Description
Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi servers. The malware was developed from leaked Babuk ransomware source code and leverages the SOSEMANUK stream cipher combined with ECDH key exchange for encryption. It terminates all running virtual machines before renaming and encrypting log files and VM-related extensions—like .vmdk, .vmsn, and .vswp—appending a .Cheers extension. A ransom note titled "How To Restore Your Files.txt" is dropped per directory. The ransomware is attributed to the Chinese-affiliated group BRONZE STARLIGHT (also known as Emperor Dragonfly, DEV-0401), which has previously deployed other strains like Rook, NightSky, and Pandora. Cheers targets a range of industry sectors, with confirmed victims across healthcare, finance, logistics, and manufacturing.
External Analysis |
https://www.watchguard.com/wgrd-ransomware/cheerscrypt |
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html |
https://www.sentinelone.com/anthology/cheerscrypt/ |
https://www.sygnia.co/threat-reports-and-advisories/revealing-emperor-dragonfly-a-chinese-ransomware-group/ |
https://heimdalsecurity.com/blog/cheerscrypt-ransomware-strain-attributed-to-chinese-hacking-group/ |
Affiliates |
BRONZE STARLIGHT team |
Urls |
Screen |
http://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion/ |
Screen |
http://crkfkmrh4qzbddfrl2axnkvjp5tgwx73d7lq4oycsfxc7pfgbfhtfiid.onion/ |
|
Posts
Date |
Title |
Description |
Screen |
2022-09-14 |
DYNAM JAPAN HOLDINGS CO., LTD |
|
|
2022-09-01 |
An Japan Game Halls Operator |
|
|
2022-08-18 |
An Financial Company - Paid |
|
|
2022-08-18 |
An Technology Company - Paid |
|
|
2022-08-18 |
An International Shipping Company - Paid |
|
|
2022-08-18 |
An Insurance Company -Paid |
|
|
2022-08-18 |
An British Financial Company -Public |
|
|