Several companies running their workloads on VMware ESXi servers were attacked by the hacking group SEXi. They developed ransomware called SEXi to encrypt VMware ESXi servers, virtual machines, and backups.
SEXi = ESXi – quite an interesting name, isn’t it? It points directly to ESXi.
Unfortunately, they were successful in doing so.
In this article, I will walk you through the SEXi ransomware, and how it works, share some stories, and explain how to protect your VMware workloads to stay safe.
What is SEXi ransomware?
The SEXi ransomware has been developed by the ransomware group SEXi. Once the ransomware gets into the network due to poor security measures, it targets VMware ESXi and encrypts the following files, and it appends the SEXi extension.
| File | Usage | Description |
|---|---|---|
| .vmx | vmname.vmx.SEXi | Virtual machine configuration file |
| .vmxf | vmname.vmxf.SEXi | Additional virtual machine configuration files |
| .vmdk | vmname.vmdk.SEXi | Virtual disk characteristics |
| -flat.vmdk | vmname-flat.vmdk.SEXi | Virtual machine data disk |
| .nvram | vmname.nvram or nvram.SEXi | Virtual machine BIOS or EFI configuration |
| .vmem | vmname.vmem.SEXi | Virtual machine paging backup file |
| .vmsd | vmname.vmsd.SEXi | Virtual machine snapshots information (metadata) file |
| .vmsn | vmname.vmsn.SEXi | Virtual machine memory snapshot file |
| .vswp | vmname.vswp.SEXi | Virtual machine swap file |
| .vvmss | vmname.vmss.SEXi | Virtual machine suspend file |
| .log | vmware.log.SEXi | Current virtual machine log file |
| -#.log | vmware-#.log.SEXi | Old virtual machine log files |
Once files are encrypted, SEXi ransomware creates a ransom note SEXi.txt with instructions on how to get the decryption key. To get the description key, you need to download the Session messaging tool via https://getsession.org and reach out to the ransomware group.
Session is an instant messaging app that works on Windows, MAC, Linux, Android, and iPhone and keeps your messages private and secret.
The SEXi ransomware group will demand Bitcoin in exchange for the decryption key.
IxMetro PowerHost: Victim of SEXi Ransomware Attack
The SEXi ransomware group targeted the Chilean data center and hosting provider IxMetro PowerHost, taking down their website and services. They encrypted their VMware ESXi and VMs (virtual machines). These affected servers are used to host virtual private servers for their customers. The attack took place over the weekend.
When they realized their servers and virtual machines were encrypted, they informed customers about it and attempted to restore terabytes of backup files.
Unfortunately, that didn’t end up well. Their backups were also encrypted by the SEXi ransomware.
They decided to negotiate with the SEXi ransomware group to obtain the decryption key. The malicious group requested 2 bitcoins per victim, which added up to around $ 140 million.
What a nightmare!
This is what PowerHost CEO Richardo Ruben said about the attack: From the very beginning of the issue, we have been in contact and collaborating with various security agencies in various countries to determine if they were aware of this ransomware. All the information we’ve gathered indicates that these are new variants with a very high level of damage. Personally, I negotiated with the hijacker, who demanded an exorbitant amount of bitcoins per customer: 2 BTC for each, which added up to around $ 140 million. However, even if we could muster the required amount, would it really help us? The unanimous recommendation of all law enforcement agencies is not to negotiate, as in more than 90% of cases, criminals simply disappear after payment.
In the end, PowerHost managed to support their customers by setting up a new VPS so that their customers could bring their websites back online.
This wasn’t a solution, but rather a workaround.
6 different ways to harden your VMware ESXi
Cybersecurity threats often succeed due to poor security practices, with a smaller part attributed to zero-day vulnerabilities. As an IT Administrator, there are various ways to protect your VMware and deter cybersecurity attacks.
Let’s discuss a few of them.
Patch Your VMware ESXi
You should ensure that you always keep your VMware ESXi servers and vCenter updated to the latest version. Additionally, you should ensure that all underlying hardware is updated to the latest version, including the physical server where your VMware is installed, and also storage devices and operating systems.
Disable root password
By default, VMware includes a user account called Root with all system privileges. It is highly recommended to disable this account and create separate user accounts that you will use to connect to ESXi via SSH. Also, ensure to employ the principle of least privilege, granting users only the necessary permissions for their respective tasks.
Use strong password
Another way hackers get into the system is by compromising poor passwords. You should ensure that you use at least 14 characters (some vendors even recommend more) and change them at least twice a year. The password should be a combination of lower and capital letters, numbers, and special characters.
Implement Monitoring and Logging
One very important measure is to implement proactive monitoring (Network Monitoring Solution) and logging (SIEM – Security Information and Event Management) to detect security breaches before they occur. SIEM automatically aggregates logs, analyzes them, and triggers notifications in case of suspicious activities.
Unfortunately, proactive monitoring and logging are the two most neglected security measures.
Disable or strengthen the SSH
If you don’t use SSH, you should disable it. If you use it, then you should implement a strong password, use SSH keys, and change SSH port. You can configure firewall rules to allow SSH access only from trusted IP addresses or networks.
You can read more details in the article published by VMware at General ESXi Security Recommendations.
Make an immutable backup with BDRSuite
Regular backups can’t handle ransomware attacks. If ransomware gets into your network and reaches ESXi and storage, it can lock up your backup files. So, if you try to bring them back, it won’t work.
To fight back, storage and backup companies have introduced immutable backups. These backups stop ransomware from altering backup files. In that case, ransomware like SEXi won’t be able to encrypt backup files or add its “.SEXi” encryption.
Starting version v7.0.1 BDRSuite supports immutable object storage.
“BDRSuite v7.0.1 marks a significant advancement offering ransomware defense features and reinforcing its status as the #1 cost-effective backup solution for businesses.”
Press release link here: https://www.kron4.com/business/press-releases/ein-presswire/693188254/bdrsuite-v7-0-1-is-available-now-with-immutable-backup-support/
BDRSuite provides immutable object storage for AWS S3 and S3 compatible object storage to ensure data security. The immutable backup supports the following:
Enhanced security for backup data
Protection against ransomware attacks
Assurance of unaltered backup data
Seamless integration with popular cloud platforms like S3 and S3-compatible Storage
Facilitates instant data recovery in case of disaster.
If you would like to learn more about it, please check here BDRSuite for Ransomware Protection, Recovery, and Defense.
Implement a 3-2-1 backup rule
On top of that, you should also implement the 3-2-1 backup rule. You should create three copies of your data: the original and two additional copies. These two copies should be stored in two different storage locations, with one copy saved in an offsite location, such as the cloud. You can learn more in my article What is the 3-2-1 Backup Rule and How BDRSuite Can Simplify it Practically? – BDRSuite.
BDRSuite supports VMware ESXi
BDRSuite supports the backup of VMware ESXi virtual machines. BDRSuite also supports agentless VM backup and all advanced backup features.
Here are the top 9 key features that I’ve found to be super helpful: 9 Key Features that Make BDRSuite the Ideal Backup Solution – Tech with Jasmin.
Download and test it!
BDRSuite provides you with the trial version with all feature sets. You can access the latest version of BDRSuite by visiting Download BDRSuite v7.0.1.
You can install it onWindows and Windows Server, Linux, and Docker.
Wrap up
In recent incidents, companies running their operations on VMware ESXi servers faced a new threat known as SEXi ransomware. This malicious software, developed by the hacking group SEXi, specifically targets VMware ESXi servers, virtual machines, and backups.
Unfortunately, these attacks have proven to be successful, causing significant disruptions and data loss for affected businesses.
In response to the increasing threat of ransomware attacks like SEXi targeting VMware ESXi servers and backups, businesses must implement robust security measures and backup solutions.
First, maintaining up-to-date patching of VMware ESXi servers is critical to addressing known vulnerabilities and security weaknesses.
Additionally, disabling the default “root” account and implementing strong, regularly updated passwords can prevent unauthorized access to ESXi servers.
Furthermore, enabling proactive monitoring and logging helps detect and respond to security threats before they escalate.
Lastly, one of the most important measures is to implement immutable backup.
This article provides a brief overview of SEXi ransomware and gives some insights on how to stay safe.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
