Cheers

Parsing : Enabled

Description

Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi servers. The malware was developed from leaked Babuk ransomware source code and leverages the SOSEMANUK stream cipher combined with ECDH key exchange for encryption. It terminates all running virtual machines before renaming and encrypting log files and VM-related extensions—like .vmdk, .vmsn, and .vswp—appending a .Cheers extension. A ransom note titled "How To Restore Your Files.txt" is dropped per directory. The ransomware is attributed to the Chinese-affiliated group BRONZE STARLIGHT (also known as Emperor Dragonfly, DEV-0401), which has previously deployed other strains like Rook, NightSky, and Pandora. Cheers targets a range of industry sectors, with confirmed victims across healthcare, finance, logistics, and manufacturing.

External Analysis
https://www.watchguard.com/wgrd-ransomware/cheerscrypt
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
https://www.sentinelone.com/anthology/cheerscrypt/
https://www.sygnia.co/threat-reports-and-advisories/revealing-emperor-dragonfly-a-chinese-ransomware-group/
https://heimdalsecurity.com/blog/cheerscrypt-ransomware-strain-attributed-to-chinese-hacking-group/
Affiliates
BRONZE STARLIGHT team
Urls
Screen
http://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion/
Screen
http://crkfkmrh4qzbddfrl2axnkvjp5tgwx73d7lq4oycsfxc7pfgbfhtfiid.onion/
File servers
Screen
Chat servers
Screen
Admin servers
Screen

Posts

Date Title Description Screen
2022-09-14
DYNAM JAPAN HOLDINGS CO., LTD
2022-09-01
An Japan Game Halls Operator
2022-08-18
An Financial Company - Paid
2022-08-18
An Technology Company - Paid
2022-08-18
An International Shipping Company - Paid
2022-08-18
An Insurance Company -Paid
2022-08-18
An British Financial Company -Public