Emergence of SEXi Ransomware Targeting VMware ESXi Servers – Latest Cyber Threat Analysis

A new variant of the Babuk ransomware, dubbed “SEXi,” has recently emerged targeting VMware ESXi servers in various countries. One notable victim of this cyberattack is IxMetro PowerHost, a Chilean data center hosting company. The attackers demanded a hefty ransom of $140 million, but the company’s CEO, Ricardo Rubem, has stated that they will not be paying.

Germán Fernández, a cybersecurity researcher at CronUp, confirmed the attack on PowerHost and revealed that the ransomware locked up the company’s servers using the .SEXi file extension. The initial access vector to the internal network is still unknown, adding to the mystery surrounding this cyber threat.

Further investigations by Will Thomas, a CTI researcher at Equinix, uncovered a binary related to the attack known as “LIMPOPOx32.bin,” which is believed to be a Linux version of Babuk. This malware has a 53% detection rate on VirusTotal, with 34 out of 64 security vendors flagging it as malicious since its upload on Feb. 8.

The emergence of SEXi ransomware highlights the convergence of two significant ransomware trends: the adaptation of malware from the Babuk source code and a growing interest in compromising VMware ESXi servers. The attackers behind SEXi have orchestrated a series of attacks in Latin American countries, utilizing different variants of the ransomware.

As the cyber threat landscape continues to evolve, it is crucial for organizations to secure their ESXi environments by following best practices recommended by experts. Implementing regular software patches, strengthening password security, monitoring network activities, and maintaining secure backups are essential steps in mitigating the risk of ransomware attacks targeting VMware ESXi servers.