The ransomware operation previously known as SEXi has rebranded to APT INC and continues to target organizations, particularly focusing on VMware ESXi servers. This rebranding occurred after the group began using the Babuk and LockBit 3 encryptors to launch attacks in February 2024. Their notable breach included a significant attack on IxMetro Powerhost, a Chilean hosting provider, which saw the encryption of VMware ESXi server files.
APT INC’s ransomware operations have gained attention for their specific focus on VMware ESXi servers, utilizing leaked encryptors that have proven to be effective and secure. The Babuk and LockBit 3 encryptors, which are central to their attacks, have no known vulnerabilities that allow for free decryption, making recovery without paying the ransom extremely challenging.
Victims of APT INC attacks report ransom demands ranging from tens of thousands to millions of dollars. The group assigns each victim a random name for ransom notes and encrypted files, which are used to communicate demands and instructions via the Session encrypted messaging application. Despite the varied ransom amounts, the encrypted files remain inaccessible without meeting the demands of the threat actors.
The leaked Babuk and LockBit 3 encryptors have been widely adopted by ransomware operators due to their robust encryption capabilities, especially for VMware ESXi servers commonly used in enterprises. APT INC’s continued use of these tools highlights the evolving threat landscape and the ongoing challenges in defending against such sophisticated ransomware attacks.