Chilean division of Powerhost, Ixmetro, fell victim to cyber attacks by the new group of rehabilitation of SEXI on March 30. The attack resulted in the encryption of VMware ESXI servers and data backups. Powerhost, a company specializing in data processing centers, hosting, and inter-sections located in the USA, South America, and Europe, was affected. Some encrypted VMware ESXI servers housed customer VPS servers, rendering websites or services on VPS servers inaccessible to customers. Efforts are being made to restore data from reserve copies, but IXMETRO stated that servers may not be restored due to the encryption of backup copies.
Cybersecurity researcher German Fernandez tweeted about the attack on Ixmetro. Powerhost disclosed negotiations with cybercriminals to acquire a decryption key after the criminals demanded 2 BTC for each victim, totaling around $140 million. The company was advised against negotiating by law enforcement agencies citing that criminals often vanish after being paid. For VPS customers whose websites were impacted but have saved content, the company offers to create new VPS to prioritize the restoration of their online presence.
According to information from Herman Fernandez’s Cybersecurity researcher, the SEXI Ransomware Program appends “.SEXI” to encrypted files and creates ransom notes named “Sexi.txt.” The attacks primarily target VMware ESXI servers, raising concerns about potential future attacks on Windows-based devices. BleepingComputer reported that the SEXI operation infrastructure lacks distinct characteristics, with ransom notes directing victims to download the Session application to communicate with the extortionists. Each ransom note includes the same contact address in Session, suggesting non-uniqueness in attacks. The possibility of data theft for double extortion attacks through data leaks remains uncertain as the situation evolves with this new campaign.