What appears to be a new variant of the Babuk ransomware has emerged to attack VMware ESXi servers in several countries, including a confirmed hit on IxMetro PowerHost, a Chilean data center hosting company. The variant is called “SEXi”, a game on his favorite target platform.
According to cybersecurity researcher CronUp The German Fernandez, Ricardo Rubem, CEO of PowerHost, released a statement confirming that a new variant of ransomware crashed the company’s servers using the .SEXi file extension, the initial access vector of which to the internal network is still unknown. The attackers demanded a ransom of $140 million, which Rubem indicated would not be paid.
The emergence of SEXi comes at the crossroads of two major ransomware trends: the wave of threat actors who have developed malware based on the Babuk source code; and the desire to compromise tempting and juicy VMware EXSi servers.
IX PowerHost Attack Part of a larger ransomware campaign
Meanwhile, Will Thomas, CTI researcher at Equinix, has discovered what he believes to be a binary file related to the one used in the attack, dubbed “LIMPOPOx32.bin” and tagged as a Linux version of Babuk in VirusTotal. At press time, that malware has a 53% detection rate. on VT, with 34 out of 64 security vendors reporting it as malicious since it was first uploaded on February 8. MalwareHunterTeam I noticed it on Valentine’s Day, when it was used without the “SEXi” handle in an attack on an entity in Thailand.
But Thomas further discovered other related binaries. Like him tweeted, “The SEXi ransomware attack against IXMETRO POWERHOST is linked to a larger campaign that affected at least three Latin American countries.” They are called Socotra (used in an attack in Chile on March 23); Limpopo again (used in an attack in Peru on 9 February); and Formosa (used in an attack in Mexico on 26 February). As of this writing all three have recorded zero detections in VT.
Together, the results show the development of a new campaign using various iterations of SEXi that all lead back to Babuk.
Dark TTPs emerge in SEXi attacks
There is no indication of where the malware operators are coming from or what their intentions are. But slowly a variety of tactics, techniques and procedures are emerging. For one thing, track nomenclature comes from place names. Limpopo is the northernmost province of South Africa; Socotra is a Yemeni island in the Indian Ocean; and Formosa was a short-lived republic located on Taiwan in the late 1800s, after the Chinese Qing Dynasty relinquished its rule over the island.
And, as MalwareHunterTeam pointed out on[‘ve] I’ve seen some actors use it years ago, I [don’t] I remember seeing it in relation to large/serious cases/actors.”
Session is a cross-platform end-to-end encrypted instant messaging application that emphasizes user privacy and anonymity. The ransom note in the IX PowerHost attack prompted the company to download the app and then send a message with the code “SEXi”; the previous note in the Thai attack urged downloading the Session but including the “Limpopo” code.
EXSi is sexy to cyber attackers
VMware’s EXSi hypervisor platform runs on Linux and Linux-like operating systems and can host multiple data-rich virtual machines (VMs). Was a Popular target for ransomware authors for years now, partly due to the size of the attack surface: According to Shodan research, there are tens of thousands of ESXi servers exposed to the Internet, most of which are running older versions. And that doesn’t take into account those who are reachable after a first access breach on a corporate network.
Also contributing to Growing interest from ransomware gangs in EXSithe platform does not support third-party security tools.
“Unmanaged devices like ESXi servers are a prime target for ransomware threat actors,” according to a report by Explorer released last year. “This is due to the valuable data on these servers, a growing number of exploited vulnerabilities affecting them, their frequent exposure to the Internet, and the difficulty of implementing security measures, such as endpoint detection and response (EDR), on these devices. ESXi is a high-yield target for attackers because it hosts multiple VMs, allowing attackers to deploy malware once and encrypt numerous servers with a single command.”
VMware has a guide to protect EXSi environments. Specific tips include: Make sure your ESXi software is up to date and up to date; strengthen passwords; remove servers from the Internet; monitor anomalous activity on network traffic and ESXi servers; and ensure that backups of virtual machines outside the ESXi environment are available to enable recovery.