The SEXi ransomware operation, known for targeting VMware ESXi servers, has rebranded under the name APT INC and has targeted numerous organizations in recent attacks.

The threat actors started attacking organizations in February 2024 using the leaked Babuk encryptor to target VMware ESXi servers and the leaked LockBit 3 encryptor to target Windows.

The cybercriminals soon gained media attention for a massive attack on IxMetro Powerhost, a Chilean hosting provider whose VMware ESXi servers were encrypted in the attack.

The ransomware operation was given the name SEXi based on the SEXi.txt ransom note name and the .SEXi extension in the names of encrypted files.

Cybersecurity researcher Will Thomas later found other variants that use the names SOCOTRA, FORMOSA, and LIMPOPO.

While the ransomware operation utilizes both Linux and Windows encryptors, it is known for targeting VMware ESXi servers.

Rebrands as APT INC

Since June, the ransomware operation has rebranded as APT INC, with cybersecurity researcher Rivitna telling BleepingComputer they continue to use the Babuk and LockBit 3 encryptors.

Over the past two weeks, numerous APT INC victims have contacted BleepingComputer or posted in our forums to share similar experiences regarding their attacks.

The threat actors gain access to the VMware ESXi servers and encrypt files related to the virtual machines, such as virtual disks, storage, and backup images.  The other files on the operating system are not encrypted.

Each victim will be assigned a random name that is not affiliated with the company. This name is used for the ransom note names and the encrypted file extension.

These ransom notes contain information on contacting the threat actors using the Session encrypted messaging application. Note how the Session address of 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 is the same one used in the SEXi ransom notes.

BleepingComputer has learned that ransom demands vary between tens of thousands to millions, with the CEO of IxMetro Powerhost publicly stating that the threat actors demanded two bitcoins per encrypted customer. 

Unfortunately, the Babuk and LockBit 3 encryptors are secure and have no known weaknesses, so there is no free way to recover files.

The leaked Babuk and LockBit 3 encryptors have been used to power new ransomware operations, including APT INC. The leaked Babuk encryptors have been widely adopted as they include an encryptor that targets VMware ESXi servers, which is heavily used in the enterprise.