APT INC: The Rebranded Threat Continuing VMware ESXi Attacks

In the realm of cybersecurity, rebranding and evolution are common tactics used by cybercriminals to avoid detection and continue their malicious activities. The SEXi ransomware operation, notorious for targeting VMware ESXi servers, has recently rebranded itself as APT INC. Despite the new name, their methods and objectives remain the same, posing a significant threat to organizations worldwide.

Background

SEXi ransomware first emerged earlier this year, quickly making a name for itself by targeting organizations using leaked encryptors. Specifically, they utilized the Babuk encryptor for VMware ESXi servers and the LockBit 3 encryptor for Windows servers. This combination allowed them to infiltrate and encrypt critical virtual machine-related files, leaving operating system files untouched. Since June, the group has been operating under the new moniker, APT INC, continuing their attacks with the same encryptors and methodologies.

Attack on IxMetro Powerhost

One notable victim of the SEXi ransomware operation is the Chilean data center and hosting provider, IxMetro Powerhost. PowerHost, a data center, hosting, and interconnectivity company with locations in the USA, South America, and Europe, suffered a significant cyberattack at the hands of SEXi, which encrypted the company's VMware ESXi servers and backups.

On a fateful Monday, PowerHost's Chile division, IxMetro, warned customers that it had suffered a ransomware attack early Saturday morning, encrypting some of the company's VMware ESXi servers used to host virtual private servers for customers. This attack brought down websites and services hosted on these servers, as the company struggled to restore terabytes of data from backups. Unfortunately, the backups were also encrypted, leading to a dire situation for the affected customers.

Ransom Notes and Demands

When attempting to negotiate with the threat actors for a decryption key, the ransomware gang demanded two bitcoins per victim, which PowerHost's CEO, Ricardo Rubem, stated would equal $140 million. Despite attempts to negotiate, the unanimous recommendation from law enforcement agencies was not to pay the ransom, as in more than 90% of cases, criminals simply disappear after payment.

"For VPS customers impacted by the attack and who still have their website content, the company is offering to set up a new VPS so that customers can bring their sites back online," stated Rubem. This effort aims to mitigate the damage and help customers resume their operations as quickly as possible.

Recovery Challenges

One of the most daunting aspects of dealing with APT INC is the security of their encryption methods. Both the Babuk and LockBit 3 encryptors are secure, with no known weaknesses that would allow victims to decrypt their files without paying the ransom. This lack of free recovery options leaves victims with few choices: either pay the ransom or face the loss of critical data.

The New SEXi Ransomware

According to CronUp cybersecurity researcher Germán Fernández, PowerHost was attacked using a new ransomware variant that appends the .SEXi extension and drops ransom notes named SEXi.txt. The known attacks by the threat actors have only been seen targeting VMware ESXi servers so far, hence the name 'SEXi,' a wordplay on 'ESXi.'

The ransom notes contain a message instructing victims to download the Session messaging app and contact the threat actors at the listed address. Despite the relatively straightforward infrastructure of the ransomware operation, the impact has been significant due to the critical nature of the encrypted files.

Variants and Broader Threats

While BleepingComputer has not been able to find a sample of the SEXi ransomware encryptor, SANS instructor Will Thomas found other variants that have been in use since February 2024. These variants use names like SOCOTRA, FORMOSA, and LIMPOPO, appending respective extensions to encrypted files. These names are geographically and historically significant, though their exact relevance to the ransomware operation remains unclear.

The ransom notes in these samples and the SEXi attacks share the same Session contact ID, indicating a unified operation behind these variants. The encryptors were created using the leaked Babuk ransomware source code, which has been used by numerous ransomware gangs to create ESXi encryptors.

Windows Encryptors and Double Extortion

Will Thomas found additional Windows encryptors related to this ransomware operation created using the leaked LockBit 3.0 source code. The newly discovered Windows encryptors are associated with the FORMOSA and SOCOTRA campaigns and have slightly different ransom notes than the ESXi versions. These notes indicate that data was stolen in the attack and would be leaked if a ransom is not paid.

"We have exfiltrated all your valuable data. We are going to publish it on the dark web pretty soon," reads the Windows ransom note. This indicates a shift towards double extortion tactics, where attackers threaten to leak stolen data to pressure victims into paying the ransom.

Conclusion

The rebranding of SEXi to APT INC signifies not just a change in name but a continuation and potential escalation of ransomware attacks targeting VMware ESXi servers. Organizations must remain vigilant, employ robust cybersecurity measures, and develop comprehensive response plans to mitigate the risk posed by such sophisticated threats. With the secure encryption methods used by APT INC and the additional threat of data exfiltration, prevention and early detection are critical to protecting valuable data and maintaining operational integrity.