Incident Response Services

IxMetro PowerHost, a prominent Chilean data center and hosting provider with operations across the USA, South America, and Europe, was the victim of a severe cyber attack in April 2024. A new ransomware strain called SEXi encrypted crucial data on their VMware ESXi servers. 

With terabytes of data encrypted, including backups, PowerHost faced a significant challenge in restoring its services and maintaining customer trust. 

Reviewed on
4.9/5
1000 Customers

Affected by the attack

$140 Million

Ransom demand 

No Payment

PowerHost did not comply to the ransom demand

No data exfiltration

Confirmed by a thorough digital forensic investigation

Identification and Initial Response

On March 30, 2024, PowerHost detected the SEXi ransomware attack on their VMware ESXi servers and backups. 

Recognizing the severity of the situation, they quickly moved to assess the scope of the incident. 

By April 1, they had identified that the attack had compromised their systems to such an extent that they needed to take immediate action. This led to the decision to shut down all hosted servers and websites, a crucial containment step to prevent the further spread of the ransomware.

SEXi ransomware recover

Proven Data steps in

Following the initial containment, PowerHost engaged external expertise, bringing in Proven Data to assist with the recovery process. 

This decision was critical, given the complexity of the attack and the encryption of both primary data and backups. PowerHost’s CEO, Ricardo Rubem, also initiated negotiations with the attackers while simultaneously consulting with various security agencies across multiple countries. Despite the $140 million ransom demand, the company followed the advice of law enforcement agencies and refused to pay. Instead, they focused on recovery efforts, utilizing Proven Data’s advanced decryption techniques and recovery tools to restore services without succumbing to the ransom demand.

Ongoing Recovery and Communication

As the recovery process continued, PowerHost implemented measures to mitigate the impact on their customers. They offered to set up new VPS systems for affected customers who still had their website content, enabling some to resume online operations.

Throughout this phase, PowerHost maintained transparent communication with its customers, keeping them informed about the situation and the steps being taken to resolve it.

Steps Taken for Full Recovery

Rapid Response & Containment

Proven Data quickly responded to PowerHost’s situation, deploying our team of experts to address the encryption of VMware ESXi servers and terabytes of corporate backups.

Advanced Decryption Techniques

Our experts utilized advanced decryption technologies to tackle the encrypted data. This was crucial given that both primary data and backups were compromised.

Coordinated Effort with Stakeholders

Proven Data worked in a highly coordinated manner with PowerHost, integrating our efforts with PowerHost’s internal IT team and other stakeholders.

Minimizing Downtime

The team performed a fast recovery service, helping PowerHost restore operations as quickly as possible, minimizing the financial and operational impacts typically associated with such critical incidents.

The Results

Want to learn how you can protect your business from ransomware?

top
Your data integrity and
security - resolved
Platform partnerships