Thanks to visit codestin.com
Credit goes to attack.mitre.org

  1. Home
  2. Software
  3. Cheerscrypt

Cheerscrypt

Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[1][2]

ID: S1096
Type: MALWARE
Platforms: Windows, ESXi
Version: 1.1
Created: 18 December 2023
Last Modified: 15 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .012 Command and Scripting Interpreter: Hypervisor CLI

Cheerscrypt has leveraged esxcli in order to terminate running virtual machines.[2]
Enterprise T1486 Data Encrypted for Impact

Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.[2][1]
Enterprise T1083 File and Directory Discovery

Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.[2]
Enterprise T1489 Service Stop

Cheerscrypt has the ability to terminate VM processes on compromised hosts through execution of esxcli vm process kill.[2]
Enterprise T1673 Virtual Machine Discovery

Cheerscrypt has leveraged esxcli vm process list in order to gather a list of running virtual machines to terminate them.[2]

Groups That Use This Software

ID Name References
G1021 Cinnamon Tempest

[1][2]

References

  1. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  1. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.