Cheerscrypt Ransomware: Analysis, Detection, and Recovery

Cheerscrypt Ransomware: Unveiling the Multi-Platform Cyber Threat

In the ever-evolving landscape of cyber threats, ransomware has emerged as a formidable challenge for organizations worldwide. Among the newest entrants is Cheerscrypt ransomware, a multi-platform malware that has captured the attention of cybersecurity experts due to its sophisticated mechanisms and ties to state-sponsored hacking groups. This article delves deep into the anatomy of Cheerscrypt, exploring its technical nuances, attack methodologies, and the broader implications for cybersecurity.

What is Cheerscrypt Ransomware?

Cheerscrypt ransomware is a malicious software strain that encrypts victims’ files, demanding a ransom to restore access. It first appeared in May 2022, targeting Linux systems, particularly VMware ESXi servers. A subsequent Windows variant emerged in June 2022, showcasing the ransomware’s multi-platform capabilities. Cheerscrypt is believed to have evolved from the leaked Babuk builders, sharing several functionalities with its predecessor.

The Emergence of Cheerscrypt

Cheerscrypt’s emergence can be traced back to when cybersecurity researchers at Trend Micro discovered an encryptor targeting VMware ESXi servers. The ransomware notably adds a “.Cheers” extension to encrypted files and leaves a note titled “How to Restore Your Files.txt” in affected directories. Its delivery methods include the exploitation of the Log4Shell vulnerability and the use of frameworks like Cobalt Strike for initial access.

Technical Aspects of Cheerscrypt Ransomware

Cheerscrypt employs a combination of the SOSEMANUK stream cipher and Elliptic-curve Diffie-Hellman (ECDH) for encrypting files, with an embedded public key in the executable and the private key retained by the attackers. This method ensures that only the attackers can provide the decryption key upon payment of the ransom. The ransomware also utilizes various tools for reconnaissance, lateral movement, and data exfiltration, including Impacket, a keylogger, NPS, and IOX.

Cheerscrypt Attack Methodology

Cheerscrypt’s attack methodology is multi-staged and begins with gaining initial access through vulnerabilities such as Log4Shell. Once inside the network, it uses tools like Cobalt Strike to establish a foothold. The ransomware is engineered to terminate VMware-related processes to ensure files are available for encryption. If the ransomware lacks sufficient permissions to rename files, the encryption process may fail, providing a potential avenue for avoiding file damage.

Cheerscrypt’s Multi-Platform Capabilities

Initially believed to target only ESXi servers, further investigations by Sygnia revealed that Cheerscrypt also poses a threat to Windows servers. This versatility makes Cheerscrypt particularly dangerous, as it can infiltrate a wide range of enterprise environments.

The Threat Actors Behind Cheerscrypt: Emperor Dragonfly

Cheerscrypt has been linked to a Chinese hacking group known as ‘Emperor Dragonfly,’ also referred to as Bronze Starlight by Secureworks and DEV-0401 by Microsoft. This group is notorious for its use of ransomware as a potential decoy for cyber espionage, which has led to increased scrutiny by security experts. Emperor Dragonfly’s tactics include using a DLL-sideloading technique similar to Night Sky TTPs and employing double-extortion tactics, threatening to publish stolen data if the ransom is not paid.

The Cybersecurity Threat Landscape and Cheerscrypt

Cheerscrypt is part of a broader ransomware threat landscape that has seen a significant rise in double extortion schemes. These attacks not only encrypt data but also exfiltrate it, threatening to release sensitive information publicly if the ransom is not paid. The use of cryptocurrencies in these operations adds a layer of complexity, as it provides the attackers with a certain level of anonymity and makes transactions harder to trace.

Mitigation and Detection Strategies

Detecting and mitigating Cheerscrypt ransomware requires a multi-faceted approach. The SentinelOne Singularity XDR Platform is designed to identify and stop Cheerscrypt-related activities. However, organizations not utilizing SentinelOne can still protect themselves by employing anti-malware tools with signature, heuristic, or machine learning detection capabilities, monitoring network traffic for indicators of compromise, and conducting regular security audits.

Steps to Mitigate Cheerscrypt Ransomware

To mitigate the risk of a Cheerscrypt infection, organizations should educate employees about ransomware risks, implement strong, unique passwords, enable multi-factor authentication (MFA), and keep systems updated with the latest patches. Additionally, a robust backup and disaster recovery plan is essential, with regular backups stored offsite and tested for integrity.

Responding to a Cheerscrypt Infection

In the unfortunate event of a Cheerscrypt infection, time is of the essence. Organizations must quickly move to contain the threat and mitigate damages. The first step is to identify the indicators of compromise (IoCs), which can include specific MD5 hashes, IP addresses, and suspicious file names associated with the ransomware. Security teams should also look for evidence of tools typically used by Emperor Dragonfly, such as SMBExec and WMIExec executions, and monitor for unusual user authentications.

Once IoCs are identified, the next phase is incident response. Affected systems should be isolated to prevent the spread of ransomware. The use of a comprehensive endpoint detection and response (EDR) solution can help in identifying and halting the attack in progress. Following containment, efforts should focus on eradicating the ransomware from the network and recovering data from backups. It’s crucial that recovery processes are tested regularly to ensure they are effective in the event of an actual attack.

The Role of Cryptocurrencies in Ransomware

Cryptocurrencies have become the preferred method of payment for ransomware attackers due to their perceived anonymity and the difficulty in tracing transactions. Cheerscrypt is no exception, demanding payment in digital currencies. This trend has led to increased regulatory scrutiny and efforts by law enforcement to track and disrupt the financial networks that support ransomware operations. Organizations must be aware of the role cryptocurrencies play in these attacks and consider the legal and ethical implications of paying ransoms.


Cheerscrypt ransomware represents a sophisticated and adaptable cyber threat that can target both Linux and Windows systems. Its association with the Emperor Dragonfly hacking group adds a layer of complexity, as the group’s activities may blend financial motives with state-sponsored espionage. The emergence of Cheerscrypt underscores the need for organizations to remain vigilant and proactive in their cybersecurity defenses.

To defend against Cheerscrypt and similar threats, organizations must prioritize security best practices, including regular patching, strong authentication measures, employee education, and robust backup and recovery strategies. By understanding the threat landscape and implementing comprehensive mitigation and response plans, businesses can better protect themselves from the disruptive and costly impact of ransomware attacks.

Ransomware threats like Cheerscrypt are a stark reminder of the importance of cybersecurity in the digital age. As threat actors continue to evolve their tactics, so too must our defenses. By staying informed and prepared, we can collectively reduce the efficacy of these malicious campaigns and safeguard our data and systems against the ever-present threat of ransomware.