Cheerscrypt

Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.^[1]^[2]

ID: S1096

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 18 December 2023

Last Modified: 15 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID	Name	Use
Enterprise	T1486	Data Encrypted for Impact	Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.^[2]^[1]
Enterprise	T1083	File and Directory Discovery	Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.^[2]
Enterprise	T1489	Service Stop	Cheerscrypt has the ability to terminate VM processes on compromised hosts through execution of `esxcli vm process kill`.^[2]

Groups That Use This Software

ID	Name	References
G1021	Cinnamon Tempest	^[1]^[2]

References

Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.

Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.

Cheerscrypt

Enterprise Layer

Techniques Used

Groups That Use This Software

References