Recently, a notorious ransomware group previously known as SE#i Ransomware has rebranded itself as APT Inc., setting its sights on VMware ESXi servers worldwide, particularly in corporate environments. This campaign predominantly targets Linux-based systems using the Babuk Encryptor, while Windows environments are hit with the LockBit 3.0 encryptor.
The activity reportedly began in February 2024 but drew significant attention when a Chilean ISP experienced all its VMware servers hosted on IxMetro Powerhost becoming inaccessible due to malware.
Curiously, the malware encrypts only virtual disks, storage, and backed-up images intended for duplication, leaving other operating system files untouched.
A recent Reddit discussion has sparked interest in why the APT Inc. ransomware group focuses exclusively on VMware servers. Among the insights shared, one white hat hacker suggested that vulnerabilities stemming from misconfigurations make VMware servers prime targets for causing substantial damage to hosting data centers. Another user noted the assured rewards for breaching VMware servers as a motivating factor for threat actors.
It’s worth noting that this isn’t the first-time virtualization software has been targeted. Last year, Chinese hackers identified as UNC3886 exploited a zero-day flaw in ESXi servers multiple times to steal sensitive information.
Victims should immediately report to the law enforcement as soon as they are victimized as it helps the authorities to issue an alert to other organizations about the lurking cyber threat and can also provide ample amount of time for the law enforcers to develop a decryption key for sure.