Ransomware Cheerscrypt targets VMware ESXi systems • The Register

Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

“ESXi is widely used in enterprise settings for server virtualization,” Trend Micro noted in a write-up this week. “It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices.”

Yehuda Rosen, senior software engineer at cybersecurity company nVisium, said an ESXi server “is so much more than just a server.”

“It can host dozens of virtualized machines, which increases its importance within an organization’s IT environment, and therefore also dramatically raises the chances that an organization will pay the ransom to recover their servers,” Rosen told The Register. “If an attacker can hold multiple [virtual] servers ransom by infecting one machine, that decreases their own workload and increases the potential payoff.”

The latest ransomware targeting VMware’s hypervisor is one Trend’s researchers are calling Cheerscrypt – or simply Cheers – and like an increasing number of outbreaks, comes with a double-extortion threat aimed at incentivizing victims to pay the demanded ransom.

ransomware attaack

Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware


In the ransom note that pops up on a victim’s screens, the cybercriminals give the organization three days to contact them. Otherwise, the group…