SEXi? Seriously? What are you talking about this time?
Don't worry, I'm not trying to conjure images in your mind of Rod Stewart in his iconic leopard print trousers. Instead, I want to warn you about a cybercrime group that has gained notoriety for attacking VMware ESXi servers since February 2024.
Excuse me for not knowing, but what is VMWare EXSi?
EXSi is a hypervisor - allowing businesses who want to reduce costs and simplify management to consolidate multiple servers onto a single physical machine.
ESXi is a popular choice with cloud providers and data centres that have a require to host thousands of virtual machines for their customers, but there are also use cases in healthcare, finance, education, and other sectors.
So the SEXi gang breaks into EXSi servers and encrypts the data?
That's correct. For instance, in April Chilean data centre and hosting provider IxMetro PowerHost had its VMware ESXi servers and backups encrypted. The attackers demanded a ransom of $140 million worth of Bitcoin.
140 million dollars? Sheesh!
It's a lot isn't, isn't it? Apparently, the ransomware group calculated the figure by demanding two Bitcoins for every PowerHost customer whose data had been encrypted.
Apparently, the ransomware group calculated the figure by demanding two Bitcoins for every customer of PowerHost who had had their data encrypted.
PowerHost's CEO says that he personally negotiated with the attackers, described the demand as "exorbitant", and refused to pay up.
So how do you know if your computers have, err.. got SEXi?
Encrypted files have their filenames appended with ".SEXi". Files related to virtual machines, such as virtual disks, storage, and backup images, are targeted.
In addition, a ransom note is dropped onto affected systems called SEXi.txt.
The ransom message tells victims to download the end-to-end encrypted messaging app Session, and make contact with the extortionists.
Are there any known weaknesses in the encryption used in the SEXi attacks that could be used to recover your data without paying?
Unfortunately not, and so there are no freely available tools to recover encrypted data. Businesses hit by SEXi ransomware attacks have to hope that they have made a backup of critical data that has not been compromised by the cybercriminals.
None of this sounds very SEXI at all...
I agree. And maybe the attackers do too. From last month onwards they appear to have attempted to rebrand themselves with the slightly less disturbing name of "APT Inc." Which, of course, means an update to the ransom note - although not much has changed in the way the criminals operate.
What can my company do to better protect its VMware EXSi servers?
You can significantly strengthen the security of your VMware ESXi environment and protect valuable data by following these steps:
- Update and patch your VMware EXSi systems against vulnerabilities.
- Disable the default root account and create separate user accounts granting users only the permissions they need.
- Make sure that passwords are strong, cannot be guessed or cracked, and are unique.
- Proactively monitor and log events to detect potential security breaches.
For further advice, read VMware's recommendations for securing EXSi.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
