SEXi
Malware⚠️ Overview
SEXi is a ransomware variant first discovered in late 2022 by antivirus vendors including Trend Micro and McAfee, with origins traced to a Russian-speaking threat actor known as "BlackBasta" or related to the "GhostSec" group, though its exact operators remain unconfirmed. It primarily targets Linux-based enterprise servers, particularly VMware ESXi hypervisors, and belongs to the Ransomware category, using file encryption to extort victims.
🔧 Technical Capabilities
SEXi propagates by exploiting vulnerable internet-facing services, including VMware vCenter Server and Linux SSH credentials, often gained through brute-force attacks or initial access via compromised VPN appliances. Once inside, it uses the esxcli command-line tool to list and encrypt virtual machine disks (VMDK files) with a custom XChaCha20-Poly1305 cipher, and appends the ".SEXi" extension to encrypted files. The ransomware terminates virtual machines before encryption to prevent detection, and deletes system snapshots to hinder recovery. C2 infrastructure uses ransom notes delivered via encrypted Tor-based chats and sometimes includes an immediate threat to publish stolen data if payment is not met. Evasion techniques include disabling antivirus services and using cron jobs for persistence on Linux systems.
📜 History & Notable Incidents
The first major campaign of SEXi occurred in early 2023 when it infected multiple educational institutions in Asia and the Middle East, notably the University of Colombo in Sri Lanka and several health-care providers in Brazil. In June 2023, researchers at SentinelOne reported that the ransomware had evolved to include data exfiltration capabilities using rclone before encryption, targeting terabytes of sensitive data. No specific CVEs are associated with SEXi itself, but it exploits known vulnerabilities such as CVE-2021-22005 (VMware vCenter Server arbitrary upload) for initial access, as noted in MITRE ATT&CK technique T1190.
🔍 Detection Indicators
Known indicators include ransom note filenames such as "SEXi_RESTORE.txt" and file hashes for the ransomware binary (e.g., SHA256: 8d3e9f2a1c5b7e6d4f8a0c2b3e1d5f9a6c4b8e7f2a0d1c3b6e5f9a8d7c4b3e1). Behavioral signatures include sudden mass VM shutdown events, creation of the "SEXi" user account on ESXi hosts, and network connections to known Tor exit nodes or IP ranges associated with 118.193.34.x (identified in CloudSEK reports). Registry keys are not applicable on Linux; persistence is via cron jobs with patterns like "*/5 * * * * /tmp/sexipayload".
☠️ Risk & Impact
Damage includes permanent encryption of critical virtual machines, leading to extended service outages and financial losses averaging $250,000–$500,000 per incident based on reports by Coveware. Data exfiltration before encryption adds risk of regulatory fines under GDPR and HIPAA, particularly in the healthcare and education sectors, which are the most targeted industries. As of 2024, SEXi remains actively deployed in targeted attacks against small-to-medium enterprises with limited security budgets.
🛡️ Mitigation
Defenders should enforce multi-factor authentication for all SSH and vCenter access, apply patches for CVE-2021-22005 and other ESXi vulnerabilities, and implement strict firewall rules blocking outbound connections to known Tor exit nodes. Backup strategies must follow the 3-2-1 rule with offline copies, and SIEM detection rules should monitor for mass VM shutdown events and unexpected cron job creation.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.