From 7ade514644708d4f0e185dc7613cba8bf071c4b6 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 6 Jun 2024 01:27:07 -0700
Subject: [PATCH] [threat-actors] Add SEXi

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fadfacb..39e2c8d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16056,6 +16056,18 @@
       },
       "uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
       "value": "FlyingYeti"
+    },
+    {
+      "description": "SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word \"ESXi,\" indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.",
+      "meta": {
+        "refs": [
+          "https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/",
+          "https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/",
+          "https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors"
+        ]
+      },
+      "uuid": "1bd2034f-a135-4c71-b08f-867b7f9e7998",
+      "value": "SEXi"
     }
   ],
   "version": 310