SEXi Ransomware Takes Down a Data Center — No Ransom Paid

The Challenge

SEXi ransomware — a strain targeting VMware ESXi infrastructure — encrypted both production servers and all backups at PowerHost, a Chilean data center with international operations. With 1,000 customers' hosted servers and websites offline and a $140 million demand, the incident combined massive operational disruption with extreme extortion pressure. Law enforcement agencies across multiple countries advised against paying.

How We Responded

1. 1
   Rapid Response & Containment

   Proven Data deployed experts to PowerHost immediately after the March 30 detection. By April 1, all affected servers were isolated to prevent further encryption spread.

2. 2
   Advanced Decryption for ESXi Infrastructure

   Using specialized VMware ESXi decryption techniques, the team worked to recover encrypted data from both production systems and compromised backups.

3. 3
   Multi-Stakeholder Coordination

   Recovery was orchestrated across PowerHost's internal IT team, security agencies in multiple countries, and Proven Data — maintaining alignment on strategy and customer communications.

4. 4
   Forensic Investigation

   A forensic investigation examined exfiltration indicators across network logs and confirmed that no customer data had been stolen despite the attackers' claims.

5. 5
   Customer Recovery Enablement

   PowerHost offered affected customers new VPS environments while restoration progressed, enabling some to resume operations quickly while full decryption continued.