[MART] - Daily Diary #519 - Cheers ransomware launches its operation targeting ESXi Servers
CTAS-MAT
ctas-mat at appgate.com
Thu May 26 21:12:10 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
05/26/2022 - Diary entry #519
This month a new ransomware strain was disclosed. Self-named "Cheers", the ransomware operates in the double-extortion model, stealing data before encrypting and then threatening to publish stolen data if the ransom is not paid. Cheers seem to be a new threat, having IOCs dated from March this year.
What is curious about Cheers, is the focus on VMWare ESX hypervisor. Upon infecting a VMWare ESXi system, the malware enumerates all virtual machines, shuts them down, and encrypts the snapshots, memory and virtual disk files of each machine. It's not the first time a malware was disclosed targeting ESX servers. More recently, in our Daily Diary #440, we covered Lockbit with a similar behavior.
For the encryption, it uses the SOSEMANUK stream cipher (just like Wanluowang Ransomware, covered in our Daily Diary #494). After the encryption phase is done, the malware drops a ransom note, asking for contact within 3 days, threatening to publish some files and raise the prices if the contact is not made. The ransom note also contains a link for a deep web page, where the victims can negotiate.
This incident is yet another example of why companies should take special care with hypervisor servers. From an attacker's point of view, it's a very valuable target. With only one attack, you can damage tons of other machines and shut down critical pieces of the infrastructure. Companies should adopt a ZeroTrust model, limiting the access to those servers into segmented networks, reducing the changes of an attacker being able to reach it.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Duarte Domingues
Manager, MART
Appgate
E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220526/ff960720/attachment.htm>
More information about the MART
mailing list