APT INC: The Rebranded Threat Continuing VMware ESXi Attacks

The notorious SEXi ransomware operation, previously known for its relentless attacks on VMware ESXi servers, has recently rebranded itself as APT INC. This cybercriminal group has continued its assault on numerous organizations, maintaining its focus on VMware ESXi servers with renewed vigor.

The ransomware operation began in February 2024, leveraging the leaked Babuk encryptor to compromise VMware ESXi servers, alongside the leaked LockBit 3 encryptor for targeting Windows systems. This marked the start of their high-profile attacks, one of the most notable being the significant breach of IxMetro Powerhost, a Chilean hosting provider. The organization’s VMware ESXi servers were severely impacted during this attack, drawing widespread media attention.

The group initially named itself SEXi, derived from the ransom note file name SEXi.txt and the .SEXi extension added to encrypted files. Cybersecurity expert Will Thomas later discovered additional variants using names like SOCOTRA, FORMOSA, and LIMPOPO. Despite utilizing both Linux and Windows encryptors, their primary focus remains VMware ESXi servers.

SEXi ransom note
Source: BleepingComputer

The Transition to APT INC

In June, the group transitioned to the new name, APT INC. Cybersecurity researcher Rivitna confirmed to BleepingComputer that they continue to employ the Babuk and LockBit 3 encryptors in their operations.

Over the past two weeks, several victims of APT INC have posted on forums, recounting similar experiences of their attacks. The attackers typically gain access to VMware ESXi servers, encrypting files related to virtual machines, such as virtual disks, storage, and backup images. Notably, other operating system files remain unencrypted.

Victims are assigned random names unrelated to their companies, which are used for ransom note file names and encrypted file extensions. These notes provide instructions for contacting the threat actors via the Session encrypted messaging application. Interestingly, the Session address 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912, used in SEXi ransom notes, is still employed by APT INC.

Ransom Demands and Challenges

Ransom demands from APT INC vary widely, ranging from tens of thousands to millions of dollars. For instance, the CEO of IxMetro Powerhost revealed that the attackers demanded two bitcoins per encrypted customer.

The Babuk and LockBit 3 encryptors, unfortunately, remain secure with no known vulnerabilities, meaning there are no free methods to recover encrypted files. The leaked encryptors have been adopted by various new ransomware groups, including APT INC, due to their effectiveness, particularly the Babuk encryptor’s ability to target VMware ESXi servers, which are prevalent in enterprise environments.

Conclusion

APT INC’s rebranding from SEXi does not signify a change in their tactics or targets. The group continues to pose a significant threat to organizations, especially those utilizing VMware ESXi servers. With no known weaknesses in their encryption methods, victims are often left with few options but to comply with ransom demands or face significant data loss. Cybersecurity professionals and organizations must remain vigilant and proactive in their defense strategies to mitigate the risks posed by such formidable ransomware operations.

🔥Subscribe to the channel: https://bit.ly/3vY16CT🔥

🚨Read my blog: https://angrysysops.com/

👊Twitter: https://twitter.com/AngrySysOps
👊Facebook: https://www.facebook.com/AngrySysOps
👊My Podcast: https://bit.ly/39fFnxm
👊Mastodon: https://techhub.social/@AngryAdmin

Please leave the comment