The Abyss Locker operation is a recent ransomware campaign that has developed a Linux encryptor specifically targeting VMware’s ESXi virtual machine platform in enterprise attacks. With businesses increasingly using virtual machines for resource management and disaster recovery, ransomware groups have started creating encryptors to exploit this platform.
VMware ESXi is a popular virtual machine platform, making it a prime target for ransomware gangs. Several other ransomware operations, including AvosLocker, Black Basta, BlackMatter, HelloKitty, LockBit, Luna, RansomEXX, REvil, and Royal.
Abyss Locker is a relatively new ransomware group that emerged in March 2023 and has been targeting companies in their attacks. Like other ransomware operations, Abyss Locker infiltrates corporate networks, exfiltrate data for double-extortion purposes, and then encrypts devices on the network.
The stolen data is used as leverage to extort victims into paying the ransom, with the threat actors creating a Tor data leak site named ‘Abyss-data’ to list their fourteen victims. The ransomware group claims to have stolen varying amounts of data, ranging from 35 GB to as high as 700 GB.
Researchers first discovered a Linux ELF encryptor for the Abyss Locker operation, which specifically targets VMware ESXi servers. The encryptor utilizes the ‘esxcli’ command-line VMware ESXi management tool to list all available virtual machines and then forcibly shut them down using the ‘vm process kill’ command.
After terminating the virtual machines, Abyss Locker proceeds to encrypt all associated files, including virtual disks (.vmdk), metadata (.vmsd), and snapshots (.vmsn) with the ‘.crypt’ extension. Additionally, all other files on the affected device are encrypted, and a ransom note with a ‘.README_TO_RESTORE’ extension is created for each file. This ransom note provides information on the attack and contains a unique link to the threat actor’s Tor negotiation site for communication with the ransomware gang.
Security experts, including Michael Gillespie, have noted that the Abyss Locker Linux encryptor appears to be based on the Hello Kitty ransomware. However, it remains unclear whether Abyss Locker is a rebrand of the HelloKitty operation or if another ransomware group gained access to the encryptor’s source code, as observed in cases like the Vice Society ransomware.
The sophistication and targeting of VMware ESXi virtual machines highlight the evolving nature of ransomware attacks, especially concerning virtualized environments. To mitigate the risks posed by such attacks, organizations must adopt robust cybersecurity measures, implement regular and secure data backups, and deploy proactive security strategies to defend against ransomware threats effectively.