Ransomware - CheersCrypt

CheersCrypt
Aliases
Cheers
Cheers!
Cheers Hacking Team
Decryptor Available
No
Description

CheersCrypt (AKA: Cheers) is yet another ransomware variant by the Chinese-affiliated group BRONZE STARLIGHT. Trend Micro first reported it in May, but there were mentions of this ransomware all the way back in February. Previously, the group used the ransomware variants LockFile, AtomSilo, Rook, NightSky, and Pandora. They are also known to have been an affiliate of LockBit 2.0. However, it appears that their affiliate status was short-lived. LockFile and AtomSilo were proprietary ransomware code bases with some aspects of various other ransomware strains, but Rook, NightSky, and Pandora are delineated from Babuk. CheersCrypt is also a variant of Babuk, but it's from its ESXi code base, as opposed to the Windows encryptor code. In other words, CheersCrypt targets Linux ESXi systems, and the others target Windows machines. Coincidentally, CheersCrypt appeared around the same time as Pandora. It is, therefore, assumed that the group used two different ransomware for their operations in the beginning to middle of 2022 - Pandora for Windows and CheersCrypt for ESXi. This follows the analysis from researchers that BRONZE STARLIGHT consistently used different ransomware strains to avoid attribution.

Unfortunately, we were unable to find a sample of CheersCrypt in the public domain and in our own systems. Therefore, we don't have any sample hashes to share as well as a ransom note. However, we used several references to collect as much information about it as possible. You can view those publications at the bottom of this page. Considering CheersCrypt was operated by the same group as several other ransomware before it (mentioned above), the extortion attempts and cyber kill chain are similar. However, the encryptor is slightly different. To encrypt files, CheersCrypt utilizes ECDH and Sosemanuk as opposed to AES and RSA of their previous ransomware iterations. This specific ransomware strain operated longer than their other previous strains, too, extorting at least ten victims. You can view information on that and more below.

Ransomware Type
Crypto-Ransomware
Data Broker
Country of Origin
China
First Seen
Last Seen
Threat Actors
Typ
Actor
APT
BRONZE STARLIGHT
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Encryption
Type
Hybrid
Files
Sosemanuk
Key
ECDH
File Extension
<file name>.<file extension>.Cheers
Ransom Note Name
How To Restore Your Files.txt
Industry Sector Land Extortion Date Amount (USD)
Healthcare & MedicineBelgium
Banking & Finance
Information Technology
MaritimeSingapore
Distribution & Logistics
Insurance
Banking & FinanceUnited Kingdom
Banking & FinanceTürkiye
Construction & ArchitectureUnited Kingdom
Sports & GamingJapan