Chilean data center and hosting provider IxMetro Powerhost has suffered a cyberattack at the hands of a new ransomware gang known as SEXi, which encrypted the company’s VMware ESXi servers and backups.
PowerHost is a data center, hosting, and interconnectivity company with locations in the USA, South America, and Europe.
On Monday, PowerHost’s Chile division, IxMetro, warned customers that it suffered a ransomware attack early Saturday morning that encrypted some of the company’s VMware ESXi servers that are used to host virtual private servers for customers.
Customers hosting their websites or services on these servers are currently down as the company attempts to restore terabytes of data from backups.
In the latest update, PowerHost apologized to customers, warning that it may not be possible to restore servers as the backups have also been encrypted.
When attempting to negotiate with the threat actors to receive a decryption key, the ransomware gang demanded two bitcoins per victim, which PowerHost’s CEO says would equal $140 million.
❖ PowerHost CEO Ricardo Rubem.
For VPS customers impacted by the attack and who still have their website content, the company is offering to set up a new VPS so that customers can bring their sites back online.
The new SEXi ransomware
According to CronUp cybersecurity researcher Germán Fernández, PowerHost was attacked using a new ransomware that appends the .SEXi extension and drops ransom notes named SEXi.txt.
While BleepingComputer has not been able to find a sample of this ransomware, we have learned that the ransomware is fairly new, starting to target victims in March 2023.
The known attacks by the threat actors have only been seen targeting VMWare ESXi servers so far, why the ransomware operation chose the name ‘SEXi,’ which is a wordplay on ‘ESXi.’
However, as a sample of the encryptor has not been found as of yet, it’s possible they are targeting Windows devices as well.
As for the infrastructure of the ransomware operation, there is nothing special about it at this time. The ransom notes simply contain a message telling the victims to download the Session messaging app and to contact them at the listed address.
BleepingComputer has learned that all ransom notes share the same Session contact address, so there is nothing unique for each victim in the ransom note.
Furthermore, it is unknown whether the attackers are stealing data to extort companies in double extortion attacks through data leak sites. However, as this is a very new ransomware operation, that could change at any time.