VMware ESXi servers under attack from novel Cheers ransomware

Vulnerable VMware ESXi servers are being impacted by the new Cheers, or Cheerscrypt, ransomware strain, according to BleepingComputer. Trend Micro researchers discovered that compromised VMware ESXi servers will have an encryptor launched, which will be followed by automated virtual machine enumeration prior to being shut down with an esxcli command. Files with the .vmdk, .log, .vmsn, .vswp, and .vmem extensions are then encrypted and appended with a .Cheers extension, said the report, which also found that ransom notes are also being created while the Cheers ransomware searches for encryptable files. Four semi-large entities have already been listed to be impacted by Cheers on its data leak and victim extortion Onion site, BleepingComputer revealed. Attackers have been observed to provide a three-day time period for victims to negotiate ransoms through the given Tor site. Non-payment of the ransom will prompt the threat actors to offer the stolen data for sale, with the data being posted on the leak portal in the event that they will not be sold.