New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\"><br \/>\n<meta property=\"og:title\" content=\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\"><br \/>\n<meta property=\"og:description\" content=\"Trend Micro Research detected \u201cCheerscrypt\u201d, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend Micro Research detected \u201cCheerscrypt\u201d, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.7224\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"822165118\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.243902439024\">\n<div class=\"article-details\" role=\"heading\" readability=\"40\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">Trend Micro Research detected \u201cCheerscrypt\u201d, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings in this report. <\/p>\n<p class=\"article-details__author-by\">By: Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, Warren Sto.Tomas <time class=\"article-details__date\">May 25, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"37.47572815534\">\n<div readability=\"23.422330097087\">\n<p>We recently observed multiple Linux-based <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/ransomware\" target=\"_self\" rel=\"noopener\">ransomware<\/a> detections that malicious actors launched to target <a href=\"https:\/\/www.vmware.com\/products\/esxi-and-esx.html\">VMware ESXi<\/a> servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. We encountered <a href=\"http:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Ransom.Linux.CHEERSCRYPT.A\/\" target=\"_blank\" rel=\"noopener\">Cheerscrypt<\/a>, a new ransomware family, that has been targeting a customer\u2019s ESXi server used to manage VMware files.<\/p>\n<p>In the past, ESXi servers were also attacked by other known ransomware families such as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-lockbit\" target=\"_blank\" rel=\"noopener\">LockBit<\/a>, <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-hive\" target=\"_blank\" rel=\"noopener\">Hive<\/a>, and <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/news\/ransomware-spotlight\/ransomware-spotlight-ransomexx\" target=\"_blank\" rel=\"noopener\">RansomEXX<\/a> as an efficient way to infect many computers with ransomware.<\/p>\n<p>This blog entry provides an overview of Cheerscrypt\u2019s infection routine based on the information we have gathered so far.<\/p>\n<p><span class=\"body-subhead-title\">Infection routine<\/span><\/p>\n<p>The ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection routine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt01.png\" alt=\"Figure 1. Ransomware command line\"><figcaption>Figure 1. Ransomware command line<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"32.988047808765\">\n<div readability=\"13.386454183267\">\n<p>Upon execution, it implements the following command to terminate VM processes using <a href=\"https:\/\/developer.vmware.com\/web\/tool\/7.0\/esxcli\" target=\"_blank\" rel=\"noopener\">ESXCLI<\/a>:<\/p>\n<blockquote><p><i>\u201cesxcli vm process kill \u2013type=force \u2013world-id=$(esxcli vm process list|grep \u2018World ID\u2019|awk \u2018{print $3}\u2019)\u201d<\/i><\/p><\/blockquote>\n<p>The termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files. Similar to other infamous ransomware families, Cheerscrypt employs the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/ransomware-double-extortion-and-beyond-revil-clop-and-conti\">double extortion<\/a> scheme to coerce its victim to pay the ransom, as shown on their ransom note in Figure 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt02.png\" alt=\"Figure 2. Cheerscrypt\u2019s ransom note\"><figcaption>Figure 2. Cheerscrypt\u2019s ransom note<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Successfully encrypted files are renamed with the .Cheers extension. However, the ransomware first renames the files it will encrypt before encrypting the files. Thus, if the access permission for the file was not granted, it cannot proceed with the actual encryption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt03.png\" alt=\"Figure 3. Cheerscrypt renames the sample before encryption.\"><figcaption>Figure 3. Cheerscrypt renames the sample before encryption.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>For each directory it encrypts, it will drop the ransom note named, \u201cHow to Restore Your Files.txt\u201d. It seeks out log files and VMware-related files with the following extensions:<\/p>\n<ul>\n<li>\u00b7 <span class=\"rte-red-bullet\">.log<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7 .vmdk<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7 .vmem<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7 .vswp<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7 .vmsn<\/span><\/li>\n<\/ul>\n<p>After successful encryption, it displays the following console that contains the data statistics of its routine:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt04.png\" alt=\"Figure 4. Displayed console after encryption\"><figcaption>Figure 4. Console displayed after encryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.974208675264\">\n<div readability=\"13.786635404455\">\n<p><span class=\"body-subhead-title\">Encryption algorithm<\/span><\/p>\n<p>Cheerscrypt\u2019s executable file contains the public key of a matching key pair with the private key being held by the malicious actor. The ransomware uses <a href=\"https:\/\/www.ecrypt.eu.org\/stream\/e2-sosemanuk.html\" target=\"_blank\" rel=\"noopener\">SOSEMANUK<\/a> stream cipher to encrypt files and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Elliptic-curve_Diffie%E2%80%93Hellman\" target=\"_blank\" rel=\"noopener\">ECDH<\/a> to generate the SOSEMANUK key. For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux\u2019s \/dev\/urandom. It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor\u2019s private key is known. The infection chain is shown on Figure 5.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt05REV3.png\" alt=\"Figure 5. Cheerscrypt\u2019s encryption algorithm\"><figcaption>Figure 5. Cheerscrypt\u2019s encryption algorithm<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.545549374131\">\n<div readability=\"20.883171070932\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>ESXi is widely used in enterprise settings for server virtualization. It is therefore a popular target for ransomware attacks. As mentioned, compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices. Organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.<\/p>\n<p><span class=\"body-subhead-title\">Recommendations <\/span><\/p>\n<p>A proactive stance that ensures solid cybersecurity defenses against modern ransomware threats is crucial for organizations to thrive in an ever-changing threat landscape. To protect systems against similar attacks, organizations can establish security frameworks that systematically allocate resources based on an enterprise\u2019s needs. <\/p>\n<p>Organizations can benefit from following the security frameworks established by the <a href=\"https:\/\/www.cisecurity.org\/controls\/\" target=\"_blank\" rel=\"noopener\">Center of Internet Security<\/a> and the <a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noopener\">National Institute of Standards and Technology<\/a> when developing their own cybersecurity strategies. The frameworks they created help security teams to mitigate risks and minimize exposure to threats. Adopting the best practices discussed in their respective frameworks can save organizations the time and effort when they customize their own. Their frameworks guide organizations through the entire process of planning while providing suggestions on measures that need to be established first.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro Research detected \u201cCheerscrypt\u201d, a new Linux-based ransomware variant that compromises ESXi servers. We discuss our initial findings on in this report. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":46829,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-46828","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-25T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\",\"datePublished\":\"2022-05-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/\"},\"wordCount\":766,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/\",\"name\":\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png\",\"datePublished\":\"2022-05-25T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png\",\"width\":576,\"height\":139},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/","og_locale":"en_US","og_type":"article","og_title":"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-05-25T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices","datePublished":"2022-05-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/"},"wordCount":766,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/","url":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/","name":"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png","datePublished":"2022-05-25T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.png","width":576,"height":139},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46828","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46828"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46828\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46829"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46828"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46828"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46828"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\")