{
	"id": "14b3032f-e5dd-4824-954a-efb559e3cabc",
	"created_at": "2026-04-06T00:16:56.920956Z",
	"updated_at": "2026-04-10T13:11:45.742376Z",
	"deleted_at": null,
	"sha1_hash": "3ae6503272e330433f17d24cd2a0caf4f327ba5d",
	"title": "Ransomware Desires VMware Hypervisors in Ongoing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1621766,
	"plain_text": "Ransomware Desires VMware Hypervisors in Ongoing Campaign\r\nBy Tara Seals\r\nPublished: 2024-04-04 · Archived: 2026-04-02 12:27:44 UTC\r\nTara Seals,Managing Editor, News,Dark Reading\r\nApril 4, 2024\r\n4 Min Read\r\nSource: Don McBailey/Stockimo via Alamy Stock Photo\r\nWhat appears to be a fresh variant of the Babuk ransomware has emerged to attack VMware ESXi servers in\r\nseveral countries, including a confirmed hit on IxMetro PowerHost, a Chilean data center hosting company. The\r\nvariant calls itself \"SEXi,\" a play on its target platform of choice.\r\nAccording to CronUp cybersecurity researcher Germán Fernández, PowerHost CEO Ricardo Rubem issued a\r\nstatement confirming that a new ransomware variant had locked up the company's servers using the .SEXi file\r\nextension, with the initial access vector to the internal network as yet unknown. The attackers requested $140\r\nmillion in ransom, which Rubem indicated would not be paid.\r\nhttps://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors\r\nPage 1 of 4\n\nSEXi's emergence stands at the crossroads of two major ransomware trends: the rash of threat actors who have\r\ndeveloped malware based on the Babuk source code; and a lust for compromising tantalizingly juicy VMware\r\nEXSi servers.\r\nIX PowerHost Attack Part of Wider Ransomware Campaign\r\nMeanwhile, Will Thomas, CTI researcher at Equinix, uncovered what he believes to be a binary related to that\r\nused in the attack, dubbed \"LIMPOPOx32.bin\" and tagged as a Linux version of Babuk in VirusTotal. At press\r\ntime, that malware has a 53% detection rate on VT, with 34 out of 64 security vendors flagging it as malicious\r\nsince it was first uploaded on Feb. 8. MalwareHunterTeam spotted it back on Valentine's Day, when it was being\r\nused without the \"SEXi\" handle in an attack on an entity in Thailand.\r\nBut Thomas further discovered other, related binaries. As he tweeted, \"SEXi ransomware attack on IXMETRO\r\nPOWERHOST linked to broader campaign that has hit at least three Latin American countries.\" These call\r\nthemselves Socotra (used in an attack in Chile on March 23); Limpopo again (used in an attack in Peru on Feb. 9);\r\nand Formosa (used in an attack in Mexico on Feb. 26). Concerningly, at press time all three registered zero\r\ndetections in VT.\r\nTogether, the findings showcase the development of a novel campaign using various SEXi iterations that all lead\r\nback to Babuk.\r\nShadowy TTPs Emerge in SEXi Attacks\r\nThere's no indication of where the malware operators originate from or what their intentions are. But slowly a set\r\nof tactics, techniques, and procedures are emerging. For one, the binaries' nomenclature comes from place names.\r\nLimpopo is the northernmost province of South Africa; Socotra is a Yemeni island in the Indian Ocean; and\r\nFormosa was a short-lived republic located on Taiwan in the late 1800s, after China's Qing Dynasty ceded its rule\r\nover the island.\r\nAnd, as MalwareHunterTeam pointed out on X, \"maybe interesting / worth to mention about this 'SEXi'\r\nransomware that the communication method specified by the actors in the note is Session. While we['ve] seen\r\nsome actors using it even years ago already, I [don't] remember seeing it in relation to any big/serious\r\ncases/actors.\"\r\nSession is a cross-platform, end-to-end encrypted instant messaging application emphasizing user confidentiality\r\nand anonymity. The ransom note in the IX PowerHost attack urged the company to download the app and then\r\nsend a message with the code \"SEXi\"; the earlier note in the Thai attack urged the Session download but to\r\ninclude the code \"Limpopo.\"\r\nEXSi Is Sexy to Cyberattackers\r\nVMware's EXSi hypervisor platform runs on Linux and Linux-like OS, and can host multiple, data-rich virtual\r\nmachines (VMs). It has been a popular target for ransomware actors for years now, partly because of the size of\r\nthe attack surface: There are tens of thousands of ESXi servers exposed to the Internet, according to a Shodan\r\nhttps://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors\r\nPage 2 of 4\n\nsearch, with most of them running older versions. And that doesn't take into account those that are reachable after\r\nan initial access breach of a corporate network.\r\nAlso contributing to ransomware gangs' growing interest in EXSi, the platform doesn't support any third-party\r\nsecurity tooling.\r\n\"Unmanaged devices such as ESXi servers are a great target for ransomware threat actors,\" according to a report\r\nfrom Forescout released last year. \"That's because of the valuable data on these servers, a growing number of\r\nexploited vulnerabilities affecting them, their frequent Internet exposure and the difficulty of implementing\r\nsecurity measures, such as endpoint detection and response (EDR), on these devices. ESXi is a high-yielding\r\ntarget for attackers since it hosts several VMs, allowing attackers to deploy malware once and encrypt numerous\r\nservers with a single command.\"\r\nVMware has a guide for securing EXSi environments. Specific suggestions include: Make sure ESXi software is\r\npatched and up-to-date; harden passwords; remove servers from the Internet; monitor for abnormal activities on\r\nnetwork traffic and on ESXi servers; and ensure there are backups of the VMs outside the ESXi environment to\r\nenable recovery.\r\nAbout the Author\r\nManaging Editor, News, Dark Reading\r\nTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and\r\ntechnology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North\r\nAmerican news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo\r\nPublishing), as executive editor and editor-in-chief at publications focused on both the service provider and the\r\nenterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts\r\nwith her family and is on a never-ending quest for good Mexican food in the Northeast.\r\nhttps://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors\r\nPage 3 of 4\n\nSource: https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors\r\nhttps://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors"
	],
	"report_names": [
		"sexi-ransomware-desires-vmware-hypervisors"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ddf5aa3a-099f-4592-bb25-58ba16d6bb77",
			"created_at": "2024-06-07T02:00:04.008432Z",
			"updated_at": "2026-04-10T02:00:03.647153Z",
			"deleted_at": null,
			"main_name": "SEXi",
			"aliases": [],
			"source_name": "MISPGALAXY:SEXi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434616,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ae6503272e330433f17d24cd2a0caf4f327ba5d.pdf",
		"text": "https://archive.orkl.eu/3ae6503272e330433f17d24cd2a0caf4f327ba5d.txt",
		"img": "https://archive.orkl.eu/3ae6503272e330433f17d24cd2a0caf4f327ba5d.jpg"
	}
}