HQ/EMEAFind out how we can help your business
The SEXi ransomware operation, the notorious group that targets VMware ESXi servers, has rebranded into APT INC and has recently attacked several enterprises.
Researchers stated that these threat actors started attacking various enterprises earlier this year. Moreover, the campaign uses the stolen Babuk encryptor to target VMware ESXi servers and the leaked LockBit 3 encryptor to target Windows.
These tactics and tools quickly allowed the threat actors to gain notoriety in the cybercriminal landscape and attracted public attention for their significant attack on IxMetro Powerhost. During the campaign, the attackers encrypted the VMware ESXi servers of this Chilean hosting provider.
This ransomware campaign was named SEXi since its operators used the SEXi.txt ransom note and the.SEXi extension in encrypted file names during its operations. However, a separate research group discovered further variations called SOCOTRA, FORMOSA, and LIMPOPO.
Additionally, the ransomware operation uses both Linux and Windows encryptors but primarily focuses on targeting VMware ESXi servers.
APT INC is a rebranded ransomware group that leverages known encryptors to compromise targeted entities.
Investigations show that the SEXi ransomware group’s first campaign as APT INC occurred last month, in which they utilised the Babuk and LockBit 3 encryptors. Moreover, over the past few weeks, numerous APT INC victims have confirmed on a forum that they suffered attacks similar to those employed by the group.
Researchers explained that these threat actors acquire access to VMware ESXi servers and encrypt virtual machine-related files such as virtual disks, storage, and backups. However, the remaining files on the operating system remain unaffected and not encrypted.
Subsequently, the ransomware operators give each victim a random name not associated with the firm, which they use as an alias in their ransom note names and encrypted file extensions. In addition, these ransom letters provide instructions for contacting the threat actors via the session-encrypted messaging tool.
Initial investigations of the new campaign revealed that it used a session address 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912, which is identical to the one used in the SEXi ransom notes.
Lastly, researchers have uncovered that the ransom demands asked by these threat actors range from tens of thousands to millions of dollars, making them one of the most dangerous cybercriminal groups in the world today.
Organisations should ensure that they employ proper and potent cybersecurity solutions to prevent such infection and avoid the risk posed by this rebranded ransomware group.
