Into the Depths of Abyss Locker

Abyss Locker is a relatively new ransomware operation that is believed to have launched in March 2023, when it began to target companies in attacks.

The Abyss Locker ransomware group has evolved into a menace for a wide array of entities, including industrial control systems (ICS), enterprises, and public-sector organizations. This shift is attributed to the introduction of a specialized Linux encryptor designed to target VMware’s ESXi virtualized environments.

Abyss Locker’s transition is reflective of a broader pattern. The extensive adoption of the ESXi platform, coupled with the absence of third-party malware detection capabilities within the hypervisor that oversees the virtual machines (VMs), has rendered this technology an increasingly alluring focal point for ransomware operators.

The Abyss ransomware appears to rely on the HelloKitty ransomware infrastructure, however the encryption algorithm changed from AES to ChaCha.

Abyss Locker Victimology

The group has asserted responsibility for several data breaches, alleging that they have pilfered varying amounts of data, ranging from 35 GB in one company’s case to as much as 700 GB in another.

The higher number of victims in the United States indicates that it is likely the primary target for the Abyss ransomware, suggesting a significant focus on targeting entities within the USA.

Here are some examples for late victims who suffered from the Abyss Ransomware:

Abyss Locker Malware, Tools & TTPs

Similar to various other ransomware campaigns, the perpetrators behind Abyss Locker engage in a familiar sequence of actions. They infiltrate corporate networks, pilfer data to enable a double-extortion approach, and proceed to encrypt devices within the network.

This pilfered data subsequently becomes a bargaining tool, utilized to exert pressure by warning of data leaks unless a ransom is settled. For the purpose of leaking this stolen information, the threat actors have set up a Tor-based data leak site titled ‘Abyss-data,’ which currently features a roster of fourteen victims.

The encryptor initiates the shutdown of all virtual machines, facilitating the comprehensive encryption of associated virtual disks, metadata, and snapshots. This encryption encompasses files with extensions such as .vmdk (pertaining to virtual disks), .vmsd (linked to metadata), and .vmsn (associated with snapshots).

Beyond its focus on virtual machines, the ransomware further extends its impact to encompass all other files present on the device, appending the .crypt extension to their filenames.

The included ransom note provides details regarding the file situation and includes an exclusive hyperlink leading to the threat actor’s Tor-based negotiation platform. This platform is characterized by its simplicity, featuring only a basic chat panel meant for interactions with the ransomware group.

Abyss Locker Origins & Affiliates

In January 2023, a threat actor under the moniker “infoleak222” made a post on the now-defunct Breached forums, sharing a link to victim data that coincided with data also found on the Abyss Locker website. There’s a belief that these occurrences are interconnected, indicating that Abyss Locker activities were already underway many months prior to the publication of their TOR-based blog. Instances of previous Abyss variations, including a Windows variant, have been identified as far back as 2019.

Community

Abyss Locker operates as a multi-extortion group, maintaining a TOR-based website where victims’ information is displayed along with their exfiltrated data, in case they refuse to comply with the threat actor’s demands.