Cheerscrypt Linux-based Ransomware Encrypt Both Linux & Windows Systems

In a recent investigation, the Sygnia security firm found Linux-based ransomware, Cheerscrypt. This ransomware was found using the TTPs of Night Sky ransomware.

There is a common threat group called Emperor Dragonfly (A.K.A. DEV-0401/BRONZE STARLIGHT) that is behind both Cheerscrypt and Night Sky.

There were several open-source tools deployed by Emperor Dragonfly. In order to provide Chinese users with these tools, Chinese developers wrote them from scratch in Chinese.

It confirms the claims which have been made that the original operators of the ‘Emperor Dragonfly’ ransomware are from China.

According to the report, Cheerscrypt’s operators present themselves as pro-Ukrainian, which provided the only clue to their true identity. This is indicated by the phrase “Слава Україні!”, which means “Glory to Ukraine!” and their dark web leak site which displays a Ukrainian flag.

The attack kill-chain is segmented into four phases, and here they are:-

• Initial access
• Establishing foothold within the network
• Lateral movement
• Data exfiltration and ransomware execution.

It is often difficult to identify two ransomware strains as part of the same threat actor in the world of ransomware affiliates and leaked source code for ransomware.

Detection points

Listed below are some detection tips that may assist you in searching for Emperor Dragonfly’s traces in the organization network:-

• Search for binaries, scripts, and executions from suspicious folders.
• Search for evidence of SMBExec executions.
• Search for evidence of WMIExec executions.
• Monitor users’ authentications, and activity from unusual sources.

Mitigations

To defend against the Emperor Dragonfly’s TTPs, the following measures can be implemented:-

• Identify and patch critical vulnerabilities.
• Limit outbound internet access from servers.
• Protect the virtualization platform.
• Limit lateral movement through the network.
• Protect privileged accounts.