Exsi

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

EXSi is a malware that has been causing significant disruptions in the cyber world. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware has been used by attackers to successfully shake down companies like Caesars for a ransom, and these same attackers are now targeting MGM Resorts, claiming to have crypto-locked its EXSi hypervisors. The Royal Ransomware threat group, known for being a prolific ransomware actor, is believed to be behind this attack. They have expanded their operations to target Linux platforms and EXSi servers. The developers of the Royal ransomware strain have added a Linux version which researchers believe is specifically designed to target vulnerable EXSi servers. ESXi, hosting several VMs, is a high-yielding target for attackers as they can deploy malware once and encrypt numerous servers with a single command. EXSi's attractiveness to cyberattackers lies in its ability to host multiple, data-rich virtual machines (VMs) on VMware's EXSi hypervisor platform, which runs on Linux and Linux-like OS. The emergence of EXSi stands at the intersection of two major ransomware trends: the development of malware based on the Babuk source code and a growing interest in compromising VMware EXSi servers. The new ransomware has been named ESXiArgs, reflecting its primary target - vulnerable EXSi servers.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Esxiargs	1	The ESXiArgs campaign was a significant cybersecurity event where an unknown ransomware group targeted VMware ESXi environments. The attackers exploited CVE-2021-21974, a vulnerability that was two years old at the time of the attacks. The campaign involved several ransomware groups such as Royal, B

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransom

Ransomware

Malware

MGM

Linux

Vmware

Encryption

Encrypt

Esxi

Esxiargs

Vcenter

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sexi	Unspecified	1	SEXi is a malware that emerged at the intersection of two major ransomware trends: the proliferation of threat actors utilizing Babuk source code and a desire to compromise VMware EXSi servers. This ransomware, linked to a broader campaign impacting at least three Latin American countries, has been
Royal Ransomware	Unspecified	1	Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Babuk	Unspecified	1	Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Exsi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	4 months ago	SEXi Ransomware Desires VMware Hypervisors
BankInfoSecurity	10 months ago	Caesars Confirms Ransomware Payoff and Customer Data Breach
CERT-EU	10 months ago	Caesars Confirms Ransomware Payoff and Customer Data Breach \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Caesars Confirms Ransomware Payoff and Customer Data Breach \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	VMWare ESXi Servers Targeted by Ransomware Gangs
CERT-EU	a year ago	ESXiArgs Ransomware Campaign Facilitated by Exploiting VMware Vulnerability
CERT-EU	a year ago	TALOS-2022-1658 \|\| Cisco Talos Intelligence Group - Comprehensive Threat Intelligence