This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 3 minutes read

Ankura CTIX FLASH Update - April 5, 2024

Malware Activity


SEXi Ransomware Targets VMWare ESXi Servers

IxMetro Powerhost – a Chilean data center and hosting provider has confirmed they have been attacked by a novel ransomware group self-named “SEXi”. The SEXi ransomware group appears to specifically target VMware’s ESXi servers, encrypting servers and backups, and renaming encrypted files with a “.SEXi” extension. SEXi’s ransom note has been found to be a “.txt” file which simply instructs victims to download and reach out to the attackers via the Session messaging application. In the case of the attack against IxMetro, the ransomware group demanded roughly $140 million in bitcoin for the decryption key. It is currently unknown whether SEXi plans to run a double-extortion operation or whether they will continue to only demand a ransom payment for decryption keys. Additionally, given the novelty of the ransomware, the initial access vector for the attack on the ESXi servers is currently unknown to cybersecurity researchers. Information about this new threat group and novel ransomware is still only just emerging. CTIX Analysts will continue to report on new and escalating malware and ransomware campaigns. 


Threat Actor Activity


Russia Indicts Six (6) Suspects Involved in Stealing 160,000 Credit Cards Over Seven (7) Years

Russia has indicted six (6) individuals for card scamming crimes, a rarity for a country who has minimal precedence for tackling cybercrime. The six suspected "hacking group" members were indicted by the Russian Prosecutor General's office for using malware to steal credit card and payment information from foreign online stores. Per the investigation, Denis Priymachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev have managed to steal over 160,000 payment cards since the end of 2017 using computer programs to bypass protection of foreign online store websites to infiltrate their databases and exfiltrate bank card details over to remote servers. Russian authorities have stated that the persons of interest were not personally using the stolen cards but rather selling the card data on dark web platforms. Attacks like this are often referred to as card skimming, where hackers will infect e-commerce sites with malicious code that steals customers' input on the checkout pages or through a fake payment overlay. Sometimes the threat actors will use the card info to make unauthorized purchases sent to money mules or sell them on dark web marketplaces which is most likely the case in this instance.




Ivanti Patches Multiple VPN Gateway Vulnerabilities in Connect Secure and Policy Secure

Ivanti has patched multiple security vulnerabilities in its Connect Secure and Policy Secure gateways. Among them is a high-severity flaw tracked as CVE-2024-21894, allowing unauthenticated attackers to conduct remote code execution and induce denial-of-service (DoS) attacks, along with three (3) other vulnerabilities facilitating DoS attacks due to issues in heap overflow, null pointer dereference, and XML entity expansion. Despite the severity of these vulnerabilities and the potential for exploitation, there have been no reported incidents of exploitation at the time of disclosure. These updates follow Ivanti's public commitment to enhancing security measures following a backdrop of recent critical vulnerabilities in other products and a broader initiative to adopt secure-by-design principles, increase transparency, and improve vulnerability management. The urgency of these patches is underscored by past nation-state threat actor exploits of Ivanti software, which include the deployment of zero-days to disseminate malware. This situation has led to emergency directives from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to protect Federal Civilian Executive Branch (FCEB) agency systems against such vulnerabilities, demonstrating the severe cybersecurity consequences for Ivanti's customers and the broader global digital infrastructure. CTIX analysts recommend all administrators ensure their Ivanti products always stay up to date with the latest software to prevent exploitation.


The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team ( if additional context is needed.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with