{"id":46922,"date":"2022-05-25T00:00:00","date_gmt":"2022-05-25T00:00:00","guid":{"rendered":"urn:uuid:88bf4cd8-6cb9-6134-8035-33340c131fb3"},"modified":"2022-05-25T00:00:00","modified_gmt":"2022-05-25T00:00:00","slug":"new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/","title":{"rendered":"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <!-- Begin mPulse library --> <!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,ransomware,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-05-25\"> <meta property=\"article:tag\" content=\"ransomware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\"> <title>New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\"><br \/>\n<meta property=\"og:title\" content=\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\"><br \/>\n<meta property=\"og:description\" content=\"New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices\"><br \/>\n<meta name=\"twitter:description\" content=\"New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.001215436038\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"822165118\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.771889400922\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.129032258065\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report. <\/p>\n<p class=\"article-details__author-by\">By: Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, Warren Sto.Tomas <time class=\"article-details__date\">May 25, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"44.609103078983\">\n<div readability=\"37.016064257028\">\n<p>We recently discovered that <a href=\"http:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Ransom.Linux.CHEERSCRYPT.A\/\" target=\"_blank\" rel=\"noopener\">Cheerscrypt<\/a>, the new Linux-based <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/ransomware\" target=\"_blank\" rel=\"noopener\">ransomware<\/a> that we detected in multiple attacks targeting ESXi servers, was based on the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/babuk-ransomwares-full-source-code-leaked-on-hacker-forum\/\" target=\"_blank\" rel=\"noopener\">leaked Babuk source code<\/a>. Upon scrutiny, we found similarities between Cheerscrypt and the Linux version of the Babuk ransomware, specifically its ESXi version. The base code of Cheerscrypt appears to be derived from the Babuk source code, but modified and customized to suit the malicious actor\u2019s ransomware goals.<\/p>\n<p>This blog entry discusses our findings and provides an overview of Cheerscrypt\u2019s infection routine based on the information we have gathered so far.<\/p>\n<p><span class=\"body-subhead-title\">Brief background<\/span><\/p>\n<p>Over the past few weeks, we observed several Linux-based ransomware detections that malicious actors launched to target <a href=\"https:\/\/www.vmware.com\/products\/esxi-and-esx.html\" target=\"_blank\" rel=\"noopener\">VMware ESXi<\/a> servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. We encountered Cheerscrypt, a new ransomware family that has been targeting a customer\u2019s EXSi server used to manage VMware files, during this period.<\/p>\n<p>In the past, ESXi servers were also attacked by other known ransomware families such as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-lockbit\" target=\"_blank\" rel=\"noopener\">LockBit<\/a>, <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-hive\" target=\"_blank\" rel=\"noopener\">Hive<\/a>, and <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-ransomexx\" target=\"_blank\" rel=\"noopener\">RansomEXX<\/a> as an efficient way to infect many&nbsp; computers with ransomware.<\/p>\n<p>This blog entry provides an overview of Cheerscrypt\u2019s infection routine based on the information we have gathered so far.<\/p>\n<p><span class=\"body-subhead-title\">Infection routine<\/span><\/p>\n<p>The ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection routine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt01.png\" alt=\"Figure 1. Ransomware command line\"><figcaption>Figure 1. Ransomware command line<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"32.988047808765\">\n<div readability=\"13.386454183267\">\n<p>Upon execution, it implements the following command to terminate VM processes using <a href=\"https:\/\/developer.vmware.com\/web\/tool\/7.0\/esxcli\" target=\"_blank\" rel=\"noopener\">ESXCLI<\/a>:<\/p>\n<blockquote><p><i>\u201cesxcli vm process kill \u2013type=force \u2013world-id=$(esxcli vm process list|grep \u2018World ID\u2019|awk \u2018{print $3}\u2019)\u201d<\/i><\/p><\/blockquote>\n<p>The termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files. Similar to other infamous ransomware families, Cheerscrypt employs the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/ransomware-double-extortion-and-beyond-revil-clop-and-conti\">double extortion<\/a> scheme to coerce its victim to pay the ransom, as shown on their ransom note in Figure 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt02.png\" alt=\"Figure 2. Cheerscrypt\u2019s ransom note\"><figcaption>Figure 2. Cheerscrypt\u2019s ransom note<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Successfully encrypted files are renamed with the .Cheers extension. However, the ransomware first renames the files it will encrypt before encrypting the files. Thus, if the access permission for the file was not granted, it cannot proceed with the actual encryption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt03.png\" alt=\"Figure 3. Cheerscrypt renames the sample before encryption.\"><figcaption>Figure 3. Cheerscrypt renames the sample before encryption.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>For each directory it encrypts, it will drop the ransom note named, \u201cHow to Restore Your Files.txt\u201d.&nbsp; It seeks out log files and VMware-related files with the following extensions:<\/p>\n<ul>\n<li>\u00b7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span class=\"rte-red-bullet\">.log<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .vmdk<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .vmem<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .vswp<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\u00b7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .vmsn<\/span><\/li>\n<\/ul>\n<p>After successful encryption, it displays the following console that contains the data statistics of its routine:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt04.png\" alt=\"Figure 4. Displayed console after encryption\"><figcaption>Figure 4. Console displayed after encryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.974208675264\">\n<div readability=\"13.786635404455\">\n<p><span class=\"body-subhead-title\">Encryption algorithm<\/span><\/p>\n<p>Cheerscrypt\u2019s executable file contains the public key&nbsp; of a matching key pair with the private key being held by the malicious actor. &nbsp;The ransomware uses <a href=\"https:\/\/www.ecrypt.eu.org\/stream\/e2-sosemanuk.html\" target=\"_blank\" rel=\"noopener\">SOSEMANUK<\/a> stream cipher to encrypt files and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Elliptic-curve_Diffie%E2%80%93Hellman\" target=\"_blank\" rel=\"noopener\">ECDH<\/a> to generate the SOSEMANUK key. For each file to encrypt, it generates an ECDH public-private key pair on the machine through Linux\u2019s \/dev\/urandom. It then uses its embedded public key and the generated private key to create a secret key that will be used as a SOSEMANUK key. After encrypting the file, it will append the generated public key to it. Since the generated private key is not saved, one cannot use the embedded public key with the generated private key to produce the secret key. Therefore, decryption is only possible if the malicious actor\u2019s private key is known. The infection chain is shown on Figure 5.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscrypt05REV3.png\" alt=\"Figure 5. Cheerscrypt\u2019s encryption algorithm\"><figcaption>Figure 5. Cheerscrypt\u2019s encryption algorithm<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.993392070485\">\n<div readability=\"13.794419970631\">\n<p><span class=\"body-subhead-title\">New findings: Cheerscrypt linked to Babuk<\/span><\/p>\n<p>Unlike Cheerscrypt, Babuk\u2019s malware version used to compromise ESXi servers ensured that the files were encrypted before it renamed the target files. This goes to show that despite the Babuk ransomware operator\u2019s announcement of their <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/babuk-ransomware-readies-shut-down-post-plans-to-open-source-malware\/\" target=\"_blank\" rel=\"noopener\">retirement<\/a> \u2014 after claiming they already achieved their goals \u2014 their impact can still affect different organizations when other malicious actors build upon the source code they leaked. We provide Babuk\u2019s source code for the malware variant specific to ESXi servers in Figure 6. In Figure 7, we can see that Cheerscrypt\u2019s source code was based on Babuk\u2019s source code that was leaked before.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptBabuk.png\" alt=\"Figure 6. Babuk\u2019s source code for the malware variant used to target ESXi servers\"><figcaption>Figure 6. Babuk\u2019s source code for the malware variant used to target ESXi servers<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptSourceCode.png\" alt=\"Figure 7. Cheerscrypt\u2019s source code with similarities to Babuk\u2019s source code \"><figcaption>Figure 7. Cheerscrypt\u2019s source code with similarities to Babuk\u2019s source code <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.545549374131\">\n<div readability=\"20.883171070932\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>ESXi is widely used in enterprise settings for server virtualization. It is therefore a popular target for ransomware attacks. As mentioned, compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices. Organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.<\/p>\n<p><span class=\"body-subhead-title\">Recommendations&nbsp;<\/span><\/p>\n<p>A proactive stance that ensures solid cybersecurity defenses against modern ransomware threats is crucial for organizations to thrive in an ever-changing threat landscape. To protect systems against similar attacks, organizations can establish security frameworks that systematically allocate resources based on an enterprise\u2019s needs.&nbsp;<\/p>\n<p>Organizations can benefit from following the security frameworks established by the <a href=\"https:\/\/www.cisecurity.org\/controls\/\" target=\"_blank\" rel=\"noopener\">Center of Internet Security<\/a> and the <a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noopener\">National Institute of Standards and Technology<\/a> when developing&nbsp; their own cybersecurity strategies. The frameworks they created help security teams to mitigate risks and minimize exposure to threats. Adopting the best practices discussed in their respective frameworks can save organizations the time and effort when they customize their own. Their frameworks guide organizations through the entire process of planning while providing suggestions on measures that need to be established first.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New findings showed that Cheerscrypt, a new Linux-based ransomware variant that compromises ESXi servers, was derived from the leaked Babuk source code. We discuss our analysis in this report. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":46923,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-46922","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-25T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code\",\"datePublished\":\"2022-05-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/\"},\"wordCount\":1015,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/\",\"name\":\"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png\",\"datePublished\":\"2022-05-25T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png\",\"width\":576,\"height\":139},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/","og_locale":"en_US","og_type":"article","og_title":"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-05-25T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices\/cheerscryptresized.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code","datePublished":"2022-05-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/"},"wordCount":1015,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/","url":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/","name":"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png","datePublished":"2022-05-25T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code.png","width":576,"height":139},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/new-linux-based-ransomware-cheerscrypt-targeting-esxi-devices-linked-to-leaked-babuk-source-code\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46922","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46922"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46922\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46923"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}