FortiGuard Labs recently published a detailed report shedding light on the rise of the Abyss Locker ransomware, which has been causing havoc on both Microsoft Windows and Linux platforms. This malicious software, believed to be derived from the HelloKitty ransomware source code, operates by stealing and encrypting victims’ files, subsequently demanding a ransom for decryption while preventing the release of stolen data.
With a high severity classification, the Abyss Locker ransomware first emerged in July 2023, although speculation suggests its origins may extend even further back in time. Subsequent to the initial detection, a Windows version of the ransomware surfaced in January 2024, followed closely by a second iteration. Additionally, a Linux variant targeting VMware ESXi systems has also been identified.
To ensure successful file encryption, the Windows version of Abyss Locker executes numerous actions. This includes the deletion of Volume Shadow Copies and system backups utilizing commands such as “vssadmin.exe delete shadows /all /quiet” and “wmic SHADOWCOPY DELETE.” Furthermore, it alters the boot status policy to disable automatic repair and overlook all boot failures. Files encrypted by this ransomware undergo a modification of the file extension to either “.abyss” or a random five-letter extension for the version 1 variant. A ransom note named “WhatHappened.txt” is delivered, accompanied by a desktop wallpaper replacement containing a ransom demand.
In contrast, the Linux variant of Abyss Locker leverages the esxcli command-line tool to control VMware ESXi systems. Before encrypting files with a “.crypt” extension, it attempts to gracefully shut down running virtual machines. A ransom note, appended with the “.README_TO_RESTORE” extension, is generated for each encrypted file. Both versions of the ransomware judiciously avoid encrypting certain file extensions and directories to maintain system functionality and facilitate communication with victims during ransom negotiations.
Although the specific infection vector for Abyss Locker remains unspecified, it is presumed to be comparable to those employed by other ransomware groups. The samples of the Abyss Locker ransomware have been sourced from various regions, indicating a pervasive attack. While no current data leak sites disclose victims’ identities, a TOR-based ransom negotiation site is accessible to affected parties. Ransom demands are discernibly diverse, with consumers typically subjected to higher ransom amounts.
The Abyss Locker ransomware poses a substantial threat to users of Windows and Linux platforms, particularly those utilizing VMware ESXi systems. With the potential for irreparable damage and compromise to networks, it is essential for users to remain vigilant and proactive in safeguarding their systems against such cyber threats.
To effectively combat malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, implementing Perimeter81 malware protection can prove instrumental. By remaining informed on the latest cybersecurity developments through reputable sources, individuals and organizations can fortify their digital defenses and mitigate the risks posed by malicious entities. Stay abreast of cybersecurity news, whitepapers, and infographics by following industry updates on platforms such as LinkedIn and Twitter.