{
	"id": "b7227560-318d-44cf-9b97-57a3b7f31e14",
	"created_at": "2026-04-06T00:22:38.809393Z",
	"updated_at": "2026-04-10T03:30:33.860747Z",
	"deleted_at": null,
	"sha1_hash": "bee62cc4e2e0809f6967de24e93e637e442ccd67",
	"title": "Powerhost’s ESXi Servers Encrypted with New SEXi Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 203792,
	"plain_text": "Powerhost’s ESXi Servers Encrypted with New SEXi Ransomware\r\nBy Madalina Popovici\r\nPublished: 2024-04-05 · Archived: 2026-04-02 11:57:14 UTC\r\nIxMetro Powerhost, a Chilean data center and hosting provider, has become the latest target of a cyberattack by a\r\nnewly identified ransomware group dubbed SEXi.\r\nThis malicious group successfully encrypted the company’s VMware ESXi servers, which host virtual private\r\nservers for their clients, as well as the backups, putting a significant portion of hosted websites and services out of\r\ncommission.\r\nHow is PowerHost responding to the attack?\r\nFollowing the attack, PowerHost, which operates across the USA, South America, and Europe, has been striving\r\nto mitigate the impact on its customers.\r\nDespite efforts to restore the compromised data from backups, the company faces challenges due to the encryption\r\nof these backups as well.\r\nIn an effort to address customer concerns, PowerHost has extended an offer to impacted VPS customers,\r\nproposing to set up new VPS systems for those who still possess their website content, enabling them to resume\r\nonline operations.\r\nThe ransom demand and negotiations\r\nNegotiations with the perpetrators revealed a ransom demand of two bitcoins per victim, totaling an astronomical\r\nsum of $140 million.\r\nPowerHost’s CEO, Ricardo Rubem, shared insights into the negotiations and the advice received from security\r\nagencies, emphasizing the high risk and low success rate of giving in to ransom demands.\r\nFrom the very beginning of the issue, we have been in contact and collaborating with various security\r\nagencies in various countries to determine if they were aware of this ransomware.\r\nAll the information we’ve gathered indicates that these are new variants with a very high level of\r\ndamage. Personally, I negotiated with the hijacker, who demanded an exorbitant amount of bitcoins per\r\ncustomer: 2 BTC for each, which added up to around 140 million.\r\nHowever, even if we could muster the required amount, would it really help us? The unanimous\r\nrecommendation of all law enforcement agencies is not to negotiate, as in more than 90% of cases,\r\ncriminals simply disappear after payment.\r\nPowerHost CEO Ricardo Rubem (source)\r\nhttps://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/\r\nPage 1 of 3\n\nSEXi ransomware\r\nPowerHost was attacked by a new type of ransomware, according to CronUp cybersecurity expert Germán\r\nFernández.\r\nThis ransomware encrypts files and leaves behind a ransom note titled SEXi.txt.\r\nSo far, this ransomware has only attacked VMware ESXi servers. Its name, “SEXi,” is a clever play on the word\r\n“ESXi.”\r\nWhat do the experts say?\r\nGermán Fernández discovered that the ransomware encrypted virtual machine files and marked them with a\r\nunique SEXi extension, as evidenced by the content of the ransom notes.\r\nThese notes instruct victims to download the Session messaging app for communication and include a specific\r\ncontact address for negotiations.\r\nRansomware note (source)\r\nBleepingComputer has some insights from SANS instructor Will Thomas about new ransomware variants named\r\nSOCOTRA, FORMOSA, and LIMPOPO, active since February 2024.\r\nThese variants, which add unique extensions like .LIMPOPO to files, don’t seem to relate directly to their\r\nnamesakes. But interestingly, these campaigns, including the SEXi ransomware, share a common Session\r\ncontact ID in their ransom notes, suggesting a uniform approach to victim communication.\r\nThe LIMPOPO variant, in particular, is believed to be developed from the leaked Babuk ransomware source code,\r\nknown for targeting ESXi servers.\r\nCurrently, there’s no sign of Windows-targeted encryptors in these campaigns, nor clear evidence of double\r\nextortion tactics being used, though the situation could change as these are new operations.\r\nAdditional Resources \r\nHow to Mitigate Ransomware\r\nHow to Prevent Ransomware\r\nIf you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news\r\nand topics.\r\nhttps://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/\r\nPage 2 of 3\n\nNeutralize ransomware before it can hit.\r\nHeimdal™ Ransomware Encryption Protection\r\nSpecifically engineered to counter the number one security risk to any business – ransomware.\r\nBlocks any unauthorized encryption attempts;\r\nDetects ransomware regardless of signature;\r\nUniversal compatibility with any cybersecurity solution;\r\nFull audit trail with stunning graphics;\r\nMadalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year\r\nbackground in PR \u0026 CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap\r\nbetween cyber experts and the wider audience with finesse.\r\nSource: https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/\r\nhttps://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/"
	],
	"report_names": [
		"powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware"
	],
	"threat_actors": [
		{
			"id": "ddf5aa3a-099f-4592-bb25-58ba16d6bb77",
			"created_at": "2024-06-07T02:00:04.008432Z",
			"updated_at": "2026-04-10T02:00:03.647153Z",
			"deleted_at": null,
			"main_name": "SEXi",
			"aliases": [],
			"source_name": "MISPGALAXY:SEXi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bee62cc4e2e0809f6967de24e93e637e442ccd67.pdf",
		"text": "https://archive.orkl.eu/bee62cc4e2e0809f6967de24e93e637e442ccd67.txt",
		"img": "https://archive.orkl.eu/bee62cc4e2e0809f6967de24e93e637e442ccd67.jpg"
	}
}