VMware ESXi servers of hosting firm compromised by SEXi ransomware

Key Point :
– Chilean data center and hosting provider IxMetro Powerhost has suffered a cyberattack by the ransomware gang known as SEXi.
– The attack encrypted the company’s VMware ESXi servers and backups.
– PowerHost is a data center, hosting, and interconnectivity company with locations in the USA, South America, and Europe.
– Customers hosting their websites or services on the affected servers are currently down.
– PowerHost apologized to customers and warned that it may not be possible to restore servers as the backups have also been encrypted.
– The ransomware gang demanded two bitcoins per victim, which would equal $140 million.
– PowerHost CEO Ricardo Rubem negotiated with the hijacker but law enforcement agencies recommend against paying the ransom.
– For impacted VPS customers, the company is offering to set up a new VPS so that customers can bring their sites back online.
– The ransomware used in the attack appends the .SEXi extension and drops ransom notes named SEXi.txt.
– The ransomware started targeting victims in March 2023 and has been seen targeting VMWare ESXi servers.
– The name ‘SEXi’ is a wordplay on ‘ESXi’.
– The infrastructure of the ransomware operation is not unique at this time.
– All ransom notes share the same Session contact address.
– It is unknown whether the attackers are stealing data for double extortion attacks.

Hacker walking through a datacenter

Chilean data center and hosting provider IxMetro Powerhost has suffered a cyberattack at the hands of a new ransomware gang known as SEXi, which encrypted the company’s VMware ESXi servers and backups.

PowerHost is a data center, hosting, and interconnectivity company with locations in the USA, South America, and Europe.

On Monday, PowerHost’s Chile division, IxMetro, warned customers that it suffered a ransomware attack early Saturday morning that encrypted some of the company’s VMware ESXi servers that are used to host virtual private servers for customers.

Customers hosting their websites or services on these servers are currently down as the company attempts to restore terabytes of data from backups.

In the latest update, PowerHost apologized to customers, warning that it may not be possible to restore servers as the backups have also been encrypted.

When attempting to negotiate with the threat actors to receive a decryption key, the ransomware gang demanded two bitcoins per victim, which PowerHost’s CEO says would equal $140 million.

From the very beginning of the issue, we have been in contact and collaborating with various security agencies in various countries to determine if they were aware of this ransomware. All the information we’ve gathered indicates that these are new variants with a very high level of damage. Personally, I negotiated with the hijacker, who demanded an exorbitant amount of bitcoins per customer: 2 BTC for each, which added up to around 140 million. However, even if we could muster the required amount, would it really help us? The unanimous recommendation of all law enforcement agencies is not to negotiate, as in more than 90% of cases, criminals simply disappear after payment.

❖ PowerHost CEO Ricardo Rubem.

For VPS customers impacted by the attack and who still have their website content, the company is offering to set up a new VPS so that customers can bring their sites back online.

The new SEXi ransomware

According to CronUp cybersecurity researcher Germán Fernández, PowerHost was attacked using a new ransomware that appends the .SEXi extension and drops ransom notes named SEXi.txt.

While BleepingComputer has not been able to find a sample of this ransomware, we have learned that the ransomware is fairly new, starting to target victims in March 2023.

The known attacks by the threat actors have only been seen targeting VMWare ESXi servers so far, why the ransomware operation chose the name ‘SEXi,’ which is a wordplay on ‘ESXi.’

Encrypted virtual machine files with the .SEXi extension
Encrypted virtual machine files with the .SEXi extension
Source: Germán Fernández

However, as a sample of the encryptor has not been found as of yet, it’s possible they are targeting Windows devices as well.

As for the infrastructure of the ransomware operation, there is nothing special about it at this time. The ransom notes simply contain a message telling the victims to download the Session messaging app and to contact them at the listed address.

SEXi ransom note
SEXi ransom note
Source: BleepingComputer

BleepingComputer has learned that all ransom notes share the same Session contact address, so there is nothing unique for each victim in the ransom note.

Furthermore, it is unknown whether the attackers are stealing data to extort companies in double extortion attacks through data leak sites. However, as this is a very new ransomware operation, that could change at any time.

Source: https://www.bleepingcomputer.com/news/security/hosting-firms-vmware-esxi-servers-hit-by-new-sexi-ransomware/


“An interesting youtube video that may be related to the article above”