IxMetro PowerHost, a prominent Chilean data center and hosting provider with operations across the USA, South America, and Europe, was the victim of a severe cyber attack in April 2024. A new ransomware strain called SEXi encrypted crucial data on their VMware ESXi servers.
With terabytes of data encrypted, including backups, PowerHost faced a significant challenge in restoring its services and maintaining customer trust.
Affected by the attack
Ransom demand
PowerHost did not comply to the ransom demand
Confirmed by a thorough digital forensic investigation
Identification and Initial Response
On March 30, 2024, PowerHost detected the SEXi ransomware attack on their VMware ESXi servers and backups.
Recognizing the severity of the situation, they quickly moved to assess the scope of the incident.
By April 1, they had identified that the attack had compromised their systems to such an extent that they needed to take immediate action. This led to the decision to shut down all hosted servers and websites, a crucial containment step to prevent the further spread of the ransomware.
Proven Data steps in
Following the initial containment, PowerHost engaged external expertise, bringing in Proven Data to assist with the recovery process.
This decision was critical, given the complexity of the attack and the encryption of both primary data and backups. PowerHost’s CEO, Ricardo Rubem, also initiated negotiations with the attackers while simultaneously consulting with various security agencies across multiple countries. Despite the $140 million ransom demand, the company followed the advice of law enforcement agencies and refused to pay. Instead, they focused on recovery efforts, utilizing Proven Data’s advanced decryption techniques and recovery tools to restore services without succumbing to the ransom demand.
Ongoing Recovery and Communication
As the recovery process continued, PowerHost implemented measures to mitigate the impact on their customers. They offered to set up new VPS systems for affected customers who still had their website content, enabling some to resume online operations.
Throughout this phase, PowerHost maintained transparent communication with its customers, keeping them informed about the situation and the steps being taken to resolve it.
Steps Taken for Full Recovery
Rapid Response & Containment
Proven Data quickly responded to PowerHost’s situation, deploying our team of experts to address the encryption of VMware ESXi servers and terabytes of corporate backups.
Advanced Decryption Techniques
Our experts utilized advanced decryption technologies to tackle the encrypted data. This was crucial given that both primary data and backups were compromised.
Coordinated Effort with Stakeholders
Proven Data worked in a highly coordinated manner with PowerHost, integrating our efforts with PowerHost’s internal IT team and other stakeholders.
Minimizing Downtime
The team performed a fast recovery service, helping PowerHost restore operations as quickly as possible, minimizing the financial and operational impacts typically associated with such critical incidents.
The Results
- Complete Data Decryption
- Data Recovery
- Data De-Corruption
- No Ransom Payment
- Minimum Downtime
- Ransomware Prevention Assistance
