S1096: Cheerscrypt
Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[1][2]
Analyst context for executives and security teams
Cheerscrypt matters because it is ransomware documented against both ESXi and Windows environments. The ESXi angle is especially important for resilience: compromise or encryption at the hypervisor layer can affect many virtualized workloads at once, turning a security incident into a broad business continuity event.
Executive priority
Leaders should treat this as a validation point for ransomware readiness around virtualization, not just endpoint protection. Key questions are whether ESXi administration is tightly controlled, whether hypervisor activity is logged well enough for investigation, whether backups are isolated and restorable, and whether incident response plans cover service disruption and VM-level recovery.
Technical view
ATT&CK does not provide a detection section for Cheerscrypt, so defenders should validate coverage through the related behaviors: Hypervisor CLI abuse, file and directory discovery, virtual machine discovery, service stopping, and data encryption for impact. SOC and IR teams should confirm visibility on ESXi command activity such as administrative CLI use, VM enumeration, service/process stops, and rapid file modification or encryption patterns across ESXi and Windows assets.
Likely telemetry
- ESXi and hypervisor command-line activity, including use of administrative tools such as esxcli or vim-cmd where available
- VM inventory and enumeration events from hypervisor management interfaces
- Authentication and administrative session logs for ESXi or virtualization management systems
- File system telemetry showing broad file discovery, access, renaming, modification, or encryption-like behavior
- Service stop or process termination events on ESXi-supported services and Windows systems
Detection direction
- Baseline legitimate hypervisor administration so VM discovery and CLI activity can be reviewed in context rather than treated as inherently malicious.
- Alert on unusual combinations of VM enumeration, file discovery, service stopping, and high-volume file modification or encryption behavior.
- Pay special attention to ESXi logging gaps; many organizations have stronger Windows endpoint visibility than hypervisor visibility.
- Tune detections for administrative false positives, especially maintenance windows, backup operations, and planned VM lifecycle activity.
- Use the Cinnamon Tempest relationship as threat-intelligence context only; do not assume attribution from behavior alone.
Mitigation priorities
- Prioritize strong access control and monitoring for ESXi and virtualization administration paths.
- Ensure ransomware recovery plans include hypervisor and VM restoration, not only individual Windows hosts.
- Maintain isolated, tested backups for critical virtualized workloads.
- Restrict and review use of hypervisor CLI capabilities to authorized administrators and expected change windows.
- Prepare IR playbooks for service disruption, VM enumeration, and data encryption scenarios across ESXi and Windows environments.
Analyst notes and limits
The supplied ATT&CK object identifies Cheerscrypt as ransomware derived from leaked Babuk source code, used against ESXi and Windows environments, and related to Cinnamon Tempest. The most useful defensive value comes from the mapped techniques: hypervisor CLI execution, discovery, service stop, VM discovery, and encryption for impact.
ATT&CK provides no official detection guidance for this malware object, and the tactic field for the malware itself is not specified. Local telemetry, logging configuration, asset exposure, and backup architecture are required to determine actual coverage or risk.
Cheerscrypt
Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1489 | Service Stop | Cheerscrypt has the ability to terminate VM processes on compromised hosts through execution of `esxcli vm process kill`.CitationTrend Micro Cheerscrypt May 2022 |
| Enterprise | T1059.012 | Hypervisor CLI Sub-technique | Cheerscrypt has leveraged `esxcli` in order to terminate running virtual machines.CitationTrend Micro Cheerscrypt May 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.CitationTrend Micro Cheerscrypt May 2022CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1083 | File and Directory Discovery | Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.CitationTrend Micro Cheerscrypt May 2022 |
| Enterprise | T1673 | Virtual Machine Discovery | Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them.CitationTrend Micro Cheerscrypt May 2022 |
Groups, software, and campaigns
G1021: Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9b5e7e80c09f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sygnia Emperor Dragonfly October 2022
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Open source URL -
[2]
Trend Micro Cheerscrypt May 2022
Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
Open source URL -
[3]
mitre-attack S1096Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.