The SEXi ransomware operation, recognized for focusing on VMware ESXi servers, has rebranded beneath the title APT INC and has focused quite a few organizations in latest assaults.
The risk actors began attacking organizations in February 2024 utilizing the leaked Babuk encryptor to focus on VMware ESXi servers and the leaked LockBit 3 encryptor to focus on Home windows.
The cybercriminals quickly gained media consideration for a massive attack on IxMetro Powerhost, a Chilean internet hosting supplier whose VMware ESXi servers had been encrypted within the assault.
The ransomware operation was given the title SEXi primarily based on the SEXi.txt ransom notice title and the .SEXi extension within the names of encrypted information.
Cybersecurity researcher Will Thomas later found different variants that use the names SOCOTRA, FORMOSA, and LIMPOPO.
Whereas the ransomware operation makes use of each Linux and Home windows encryptors, it’s recognized for focusing on VMware ESXi servers.
Rebrands as APT INC
Since June, the ransomware operation has rebranded as APT INC, with cybersecurity researcher Rivitna telling BleepingComputer they proceed to make use of the Babuk and LockBit 3 encryptors.
Over the previous two weeks, quite a few APT INC victims have contacted BleepingComputer or posted in our forums to share related experiences relating to their assaults.
The risk actors achieve entry to the VMware ESXi servers and encrypt information associated to the digital machines, corresponding to digital disks, storage, and backup photographs. The opposite information on the working system will not be encrypted.
Every sufferer will likely be assigned a random title that isn’t affiliated with the corporate. This title is used for the ransom notice names and the encrypted file extension.
These ransom notes include info on contacting the risk actors utilizing the Session encrypted messaging software. Notice how the Session handle of 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 is identical one used within the SEXi ransom notes.
BleepingComputer has realized that ransom calls for range between tens of hundreds to thousands and thousands, with the CEO of IxMetro Powerhost publicly stating that the risk actors demanded two bitcoins per encrypted buyer.Â
Sadly, the Babuk and LockBit 3 encryptors are safe and don’t have any recognized weaknesses, so there isn’t a free solution to recuperate information.
The leaked Babuk and LockBit 3 encryptors have been used to energy new ransomware operations, together with APT INC. The leaked Babuk encryptors have been widely adopted as they embrace an encryptor that targets VMware ESXi servers, which is closely used within the enterprise.