S1096 Cheerscrypt

Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.¹²

Item	Value
ID	S1096
Associated Names
Type	MALWARE
Version	1.1
Created	18 December 2023
Last Modified	15 April 2025
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.012	Hypervisor CLI	Cheerscrypt has leveraged `esxcli` in order to terminate running virtual machines.²

enterprise	T1486	Data Encrypted for Impact	Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.²¹

enterprise	T1083	File and Directory Discovery	Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.²
enterprise	T1489	Service Stop	Cheerscrypt has the ability to terminate VM processes on compromised hosts through execution of `esxcli vm process kill`.²

enterprise	T1673	Virtual Machine Discovery	Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them.²

Groups That Use This Software

ID	Name	References
G1021	Cinnamon Tempest	¹²

References

Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. ↩↩↩
Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023. ↩↩↩↩↩↩↩