{
	"id": "c50684b3-d9ad-46fe-9711-f7b92a86849c",
	"created_at": "2026-04-06T00:14:39.961394Z",
	"updated_at": "2026-04-10T03:28:28.800297Z",
	"deleted_at": null,
	"sha1_hash": "811e6bd2f4b0108b5715877ce62ca9838a5e5d25",
	"title": "Proven Data Restores PowerHost's VMware Backups After SEXi Ransomware Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 618315,
	"plain_text": "Proven Data Restores PowerHost's VMware Backups After SEXi\r\nRansomware Attack\r\nBy Jane Devry\r\nPublished: 2024-05-31 · Archived: 2026-04-05 17:14:17 UTC\r\nThe rise of sophisticated cyberattacks and increasingly brazen attackers is a well-established threat. Businesses\r\nand organizations need to take action and be aware of the risks cyberattacks and data breaches pose to their daily\r\nfunctions, financial statements, and reputation. A recent ransomware incident involving IxMetro PowerHost, a\r\nChilean data center and hosting provider with operations spanning the USA, South America, and Europe, is a stark\r\nreminder of these dangers.\r\nThe ransomware deployed by a threat actor group known as “SEXi” was specifically designed to target ESXi\r\nenvironments, a choice reflected in the group’s name, which is an anagram of ESXi. This suggests a deliberate\r\nfocus on these systems, leveraging specific vulnerabilities or misconfigurations common in such setups. Once\r\ninside the network, the ransomware likely utilized scripts or automated processes to locate and encrypt ESXi\r\nserver data systematically, rendering the virtual machines (VMs) and their associated data inaccessible. This\r\nmethod ensures a high-impact disruption, as each encrypted ESXi server simultaneously affects multiple clients\r\nand services.\r\nThe Attack History\r\nhttps://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/\r\nPage 1 of 3\n\nApril 2024 saw the emergence of the SEXi ransomware gang, which launched a strategic attack on PowerHost’s\r\nVMware ESXi servers hosting their clients’ virtual private servers (VPS). The ransomware, specifically crafted to\r\nexploit vulnerabilities in ESXi systems, spread rapidly across the network. It systematically encrypted data on the\r\nservers and backups, crippling the virtual machines (VMs) and rendering crucial data inaccessible.\r\nSEXi’s method was particularly devastating because it focused on centralizing multiple virtual environments\r\nwithin single physical servers. This strategy maximized disruption by encrypting a limited number of high-value\r\ntargets, significantly impacting PowerHost’s clients. This approach demonstrates an evolution in ransomware\r\ntactics, where attackers aim to negate the victim’s ability to recover independently, thus strengthening their\r\nleverage.\r\nIt encrypted terabytes of data, effectively rendering numerous websites and services hosted on these servers\r\ninaccessible. The ransomware gang demanded a ransom of two bitcoins per victim, which would have amounted\r\nto an astronomical $140 million.\r\nMitigation and Recovery\r\nAs customers began experiencing service outages, PowerHost’s IT team swiftly identified the ransomware\r\ninfection. Recognizing the severity of the situation, they enlisted the expertise of Proven Data’s cybersecurity\r\nspecialists. Simultaneously, PowerHost’s CEO, Ricardo Rubem, coordinated with law enforcement agencies\r\nacross multiple countries to gain insights and formulate a response strategy. The clear consensus from these\r\nagencies was to refrain from paying the ransom.\r\nDespite encrypting both primary data and backups, PowerHost and Proven Data worked tirelessly to restore\r\nservices. Leveraging advanced decryption techniques and cutting-edge recovery tools, the joint effort resulted in\r\nsuccessful data recovery for IxMetro PowerHost. This critical intervention saved the company from the staggering\r\n$140 million ransom demand and minimized operational downtime and financial losses.\r\nWhile the recovery process is still ongoing, PowerHost has offered affected VPS customers the option to set up\r\nnew VPS systems, enabling some customers to resume online operations.\r\nResults\r\nPowerHost’s collaboration with Proven Data cybersecurity experts and law enforcement agencies was crucial and\r\nunderscored the importance of collective efforts in combating cyber threats. This collaborative approach was a\r\ntestament to the strength of the cybersecurity community and its commitment to protecting businesses and\r\norganizations.\r\nIt also outlines the importance of transparent and timely communication with customers, which is vital in\r\nmaintaining trust and managing the fallout from such attacks.\r\nLessons Learned\r\nThe ransomware attack on PowerHost is a critical lesson for businesses worldwide about the necessity of robust\r\ncybersecurity measures. By learning from PowerHost’s experience, other companies can fortify their defenses and\r\nhttps://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/\r\nPage 2 of 3\n\nbetter protect themselves against the ever-growing ransomware threat. The incident highlights the strength of the\r\ncybersecurity community and its unwavering commitment to safeguarding businesses and their operations.\r\nAbout Bogdan Glushko\r\nBogdan Glushko is the Chief Information Officer of Proven\r\nData. Glushko actively leverages his years of experience restoring thousands of critical systems after incidents.\r\nGlushko is a trusted voice guiding organizations on resilient data strategies, ransomware response protocols, and\r\nmitigating evolving cyber threats. Through proven leadership, he continues delivering cutting-edge data\r\npreservation and recovery solutions that fortify business resilience against breaches, outages, and data loss from\r\nmodern cyber attacks.\r\nJoin our LinkedIn group Information Security Community!\r\nSource: https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/\r\nhttps://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/"
	],
	"report_names": [
		"proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack"
	],
	"threat_actors": [
		{
			"id": "ddf5aa3a-099f-4592-bb25-58ba16d6bb77",
			"created_at": "2024-06-07T02:00:04.008432Z",
			"updated_at": "2026-04-10T02:00:03.647153Z",
			"deleted_at": null,
			"main_name": "SEXi",
			"aliases": [],
			"source_name": "MISPGALAXY:SEXi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434479,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/811e6bd2f4b0108b5715877ce62ca9838a5e5d25.pdf",
		"text": "https://archive.orkl.eu/811e6bd2f4b0108b5715877ce62ca9838a5e5d25.txt",
		"img": "https://archive.orkl.eu/811e6bd2f4b0108b5715877ce62ca9838a5e5d25.jpg"
	}
}