Ransomware Attack (Cheerscrypt)

Introduction: This analysis focuses on Cheerscrypt ransomware, a multiplatform threat that surfaced in May 2022. With a Linux version initially launched, followed by a Windows variant in June 2022, Cheerscrypt is characterized by targeting corporate networks and engaging in multi-extortion tactics, demanding payment for decryption tools and the non-release of stolen data. The ransomware incorporates code from the leaked Babuk builders and shares functionality with the Babuk family.

Target and Modus Operandi: Cheerscrypt primarily targets the healthcare, financial services, entertainment, and education industries, with limited SMB (small to medium-sized businesses) targeting observed. The ransomware is delivered via Cobalt Strike or similar frameworks, and threat actors have exploited the Log4Shell vulnerability for initial access.
Technical Insights: The Linux variant, emerging in May 2022, specifically targeted VMware ESXi servers. Cheerscrypt only requires a supplied encryption path to initiate the encryption process. It attempts to rename files before encryption and terminate VMware-related processes. Analysis of samples reveals the use of ECDH (Elliptic-curve Diffie-Hellman) and an embedded public key for encryption. Encrypted files bear the “.Cheers” extension, and a ransom note named “How to Restore Your Files.txt” is left in directories containing encrypted files. Cheerscrypt actors employ tools such as Impacket, Keylogger, NPS, and IOX for reconnaissance, lateral movement, and data collection/exfiltration.

Detection Strategies: EDR is equipped to identify and prevent malicious activities and artifacts associated with Cheerscrypt ransomware. For organizations without this specific security solution, a comprehensive approach is recommended:

Security Tools: Deploy anti-malware software or security tools capable of detecting and blocking known ransomware variants using signatures, heuristics, or machine learning algorithms.
Network Traffic Monitoring: Regularly monitor network traffic to identify indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
Security Audits: Conduct periodic security audits to identify vulnerabilities in the network and system, ensuring all security controls are effective.
Education & Training: Educate employees on cybersecurity best practices, emphasizing the identification and reporting of suspicious emails and other threats.
Backup & Recovery Planning: Implement a robust backup and recovery plan to restore data in case of an attack.

Mitigation Measures: , the following steps can help mitigate the risk of Cheerscrypt ransomware attacks:

Employee Education: Ensure employees are educated on ransomware risks, phishing email identification, and avoidance of malicious attachments.
Strong Passwords: Implement strong, unique passwords for user accounts, regularly updating and rotating them.
Multi-Factor Authentication (MFA): Enable MFA for user accounts to add an extra layer of security through mobile apps or physical tokens.
System Updates and Patching: Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
Backup and Disaster Recovery (BDR): IEstablish regular BDR processes, testing backups stored offsite for quick recovery.

A proactive cybersecurity approach, encompassing employee education, preventive measures, and recovery strategies, is essential to effectively mitigate ransomware threats like Cheerscrypt.

Back