Researchers at Trend Micro have detected Cheerscrypt, a new Linux-based ransomware variant that has been targeting a customer’s ESXi server used to manage VMware files. In the past, ESXi servers were also attacked by other known ransomware families such as LockBit, Hive, and RansomEXX as an efficient way to infect many computers with ransomware.

The ransomware requires an input parameter specifying the path to encrypt so that it can proceed to its Infection routine. In a blog post, researchers said that the termination of the VM processes ensures that the ransomware can successfully encrypt VMware-related files. Similar to other infamous ransomware families, Cheerscrypt employs the double extortion scheme to coerce its victim to pay the ransom.

ESXi is widely used in enterprise settings for server virtualization. It is therefore a popular target for ransomware attacks. According to researchers, compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices. Organizations should thus expect malicious actors to upgrade their malware arsenal and breach as many systems and platforms as they can for monetary gain.

To protect systems against similar attacks, Trend Micro Research recommends organizations to create security frameworks that systematically allocate resources based on an enterprise’s needs.