In an incident that has shaken the hosting services industry, IxMetro Powerhost, a renowned Chilean provider of data centers and hosting, has fallen victim to an attack carried out by a new ransomware group called SEXi. This attack has jeopardized the operability of numerous websites and services hosted on the company’s servers.
The attack, which took place in the early hours of Saturday, focused on encrypting several VMware ESXi servers of IxMetro Powerhost, essential for hosting virtual private servers for their clients. As a result, the websites and services hosted on these servers went offline, while the company struggled to restore terabytes of data from backups. However, the task was further complicated when it was discovered that the backups themselves had also been encrypted by the cybercriminals.
Ricardo Rubem, CEO of PowerHost, revealed that when attempting to negotiate with the cyberattackers, they demanded two bitcoins per victim, totaling approximately 140 million dollars. Despite the possibility of raising the requested amount, the unanimous recommendation of security agencies has been not to negotiate, as in over 90% of cases, cybercriminals disappear after receiving payment.
Germán Fernández, a security researcher at CronUp, has pointed out that the ransomware used in the attack adds the .SEXi extension to encrypted files and leaves ransom notes named SEXi.txt. So far, it has been observed that this ransomware specifically targets VMware ESXi servers.
The infrastructure behind the operation of the ransomware SEXi does not currently exhibit any particular characteristics. The ransom notes simply instruct victims to download the Session messaging application and contact the attackers at the provided address.
Although a sample of the SEXi encryptor has not been found yet, SANS instructor Will Thomas has discovered other variants in use since February 2024, with names like SOCOTRA, FORMOSA, and LIMPOPO, the latter adding the .LIMPOPO extension to encrypted files.
In addition to encrypting servers, it has been revealed that the attackers have created Windows encryptors related to this operation using leaked source code from LockBit 3.0. These display ransom notes indicating data theft with threats of leakage if the ransom is not paid.
This incident underscores the growing threat of ransomware attacks and the importance of implementing robust security measures, especially for hosting service providers and data centers. The industry faces a constant challenge to stay one step ahead of cybercriminals and protect the integrity of their clients’ data and services.
Sources: Bleeping computer and CCN-cert.