SEXi? Seriously? What are you talking about this time?
Don’t worry, I’m not trying to conjure up images of Rod Stewart in his iconic leopard print trousers in your mind. I’m trying to warn you about a cybercrime group that has become infamous for attacking VMware ESXi servers since February 2024.
I’m not sure, what is VMWare EXSi?
EXSi is a hypervisor that allows companies looking to reduce costs and simplify management to consolidate multiple servers onto a single physical machine.
ESXi is a popular choice for cloud providers and data centers that need to host thousands of virtual machines for their customers, but it’s also used in sectors like healthcare, finance, and education.
So, are the SEXi gang hacking into EXSi servers and encrypting data?
That’s correct. For example, in April, VMware ESXi servers and backups of Chilean data center and hosting provider IxMetro PowerHost were encrypted. Attackers demanded a Bitcoin ransom of $140 million.
$140 million? Wow!
That’s a pretty penny, right? Apparently, the ransomware group calculated this amount by demanding 2 Bitcoin for each PowerHost customer whose data was exposed.
Apparently, the ransomware group calculated this amount by demanding 2 Bitcoin for each PowerHost customer whose data was encrypted.
PowerHost’s CEO said he personally negotiated with the attackers, called their demands “exorbitant,” and refused to pay.
So how do you know if your computer has SEXi?
Encrypted files will have “.SEXi” appended to their filenames. Virtual machine related files such as virtual disks, storage, and backup images are targeted.
Additionally, a ransom note called SEXi.txt is dropped onto affected systems.
The ransom note instructs victims to download the end-to-end encrypted messaging app Session and get in touch with the extortionists.
Does the encryption used in the SEXi attack have known weaknesses that could allow data to be recovered without paying?
Unfortunately, there are no free tools available to restore encrypted data, so businesses affected by the SEXi ransomware attack can only hope that they had backups of their important data that were not compromised by cybercriminals.
None of this sounds sexy at all…
I agree. And maybe the attackers think so too. Since last month, it seems they are trying to rebrand themselves with the less ominous name “APT Inc.” Of course, that means the ransom message will be updated, but there won’t be any major changes in how the criminals operate.
How can I better protect my VMware EXSi servers?
By following these steps, you can greatly enhance the security of your VMware ESXi environment and protect your valuable data.
- Update and patch your VMware EXSi systems to protect them from vulnerabilities.
- Disable the default root account and create separate user accounts that grant users only the privileges they need.
- Make sure your password is strong, impossible to guess or crack, and unique.
- Proactively monitor and record events to detect potential security breaches.
For detailed advice, please read VMware’s recommendations for securing EXSi.
Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
