CheersCrypt (AKA: Cheers) is yet another ransomware variant by the Chinese-affiliated group BRONZE STARLIGHT. Trend Micro first reported it in May, but there were mentions of this ransomware all the way back in February. Previously, the group used the ransomware variants LockFile, AtomSilo, Rook, NightSky, and Pandora. They are also known to have been an affiliate of LockBit 2.0. However, it appears that their affiliate status was short-lived. LockFile and AtomSilo were proprietary ransomware code bases with some aspects of various other ransomware strains, but Rook, NightSky, and Pandora are delineated from Babuk. CheersCrypt is also a variant of Babuk, but it's from its ESXi code base, as opposed to the Windows encryptor code. In other words, CheersCrypt targets Linux ESXi systems, and the others target Windows machines. Coincidentally, CheersCrypt appeared around the same time as Pandora. It is, therefore, assumed that the group used two different ransomware for their operations in the beginning to middle of 2022 - Pandora for Windows and CheersCrypt for ESXi. This follows the analysis from researchers that BRONZE STARLIGHT consistently used different ransomware strains to avoid attribution.
Unfortunately, we were unable to find a sample of CheersCrypt in the public domain and in our own systems. Therefore, we don't have any sample hashes to share as well as a ransom note. However, we used several references to collect as much information about it as possible. You can view those publications at the bottom of this page. Considering CheersCrypt was operated by the same group as several other ransomware before it (mentioned above), the extortion attempts and cyber kill chain are similar. However, the encryptor is slightly different. To encrypt files, CheersCrypt utilizes ECDH and Sosemanuk as opposed to AES and RSA of their previous ransomware iterations. This specific ransomware strain operated longer than their other previous strains, too, extorting at least ten victims. You can view information on that and more below.
Known Victims(10)
| Industry Sector | Land | Extortion Date | Amount (USD) |
|---|---|---|---|
| Healthcare & Medicine | Belgium | ||
| Banking & Finance | |||
| Information Technology | |||
| Maritime | Singapore | ||
| Distribution & Logistics | |||
| Insurance | |||
| Banking & Finance | United Kingdom | ||
| Banking & Finance | Türkiye | ||
| Construction & Architecture | United Kingdom | ||
| Sports & Gaming | Japan |