Sexi

SEXi is a new variant of malware, specifically ransomware, that has been used in cyberattacks since February 2024. It was first identified during an attack on IxMetro in April of the same year. The malware is associated with a cybercrime group known as APT Inc., which has been operating under this name since June. SEXi is unique in its effectiveness due to its ability to exploit niches where it can deploy its ransomware effectively. The group uses leaked variants of ransomware from other malware families, and although these groups often lack professionalism, they are still able to cause significant damage. The SEXi ransomware has targeted VMware's EXSi hypervisor platform, which runs on Linux and Linux-like OS and hosts multiple data-rich virtual machines. In the attacks, the ransom note typically instructs the victim to download an app and send a message with a specific code. Notably, the communication method specified by the actors in the ransom note is Session, an end-to-end encrypted instant messaging application emphasizing user confidentiality and anonymity. This communication method has not been commonly seen in relation to any major or serious cases before the emergence of SEXi. Despite the damage caused by the SEXi ransomware, there is currently no clear indication of the origins of the malware operators or their intentions. As of the last report, all three registered versions of SEXi had zero detections in VirusTotal (VT), indicating a high level of sophistication and evasion. The findings reveal the development of a novel campaign using various iterations of SEXi, all of which appear to lead back to another known ransomware variant, Babuk.