A new emerging threat, Abyss Locker ransomware has been making headlines for its targeted attacks on VMware’s ESXi virtualised environments. IOCs however seem sadly lacking.

The Abyss Locker Ransomware

Launched in March, Abyss Locker ransomware employs a double-extortion scheme, where data is both encrypted and exfiltrated for potential leaking if the ransom isn’t paid. The second version of this ransomware, which contains a Linux ELF encryptor variant, appears to be specifically aimed at ESXi virtual machines (VMs). The group has reportedly claimed 14 victims so far. Prior to its prominence in 2023, the Abyss Locker operations were hinted at in January through a post by the threat actor “infoleak222” on the Breached forums. These operations have evolved from previous variations of Abyss seen as far back as 2019.

This move by Abyss Locker is part of a larger trend, as the widespread use of the ESXi platform and the lack of third-party malware detection capabilities on the hypervisor that manages the VMs has made the technology an attractive target for ransomware operators.

Several ransomware collectives, including Akira, Black Basta, Cl0p, HelloKitty, IceFire, Hive, LockBit, MichaelKors, Royal, REvil, and others, have all moved to Linux and started targeting ESXi machines. This trend has been fuelled by the release of the VMware-focused Babuk source code, which had spawned at least 10 ESXi-ready ransomware variants by mid-May.

Target Industries and Geography The ransomware has targeted a wide range of industries, including finance, manufacturing, information technology, and healthcare, with a primary focus on organizations in the United States. The most frequently attacked sectors include the medical, manufacturing, and technology industries.

Tactics, Techniques, and Procedures (TTPs) Abyss Locker’s TTPs, based on the MITRE ATT&CK framework, include command and scripting interpreter execution, masquerading for defense evasion, system information discovery, data collection from local systems, and data encryption for impact. The ransomware employs specific calls to the “esxcli” command-line tool, used for managing virtual devices, to assist in the full encryption of VMs. The commands determine how gracefully the targeted VMs are shut down.

Encryption Strategy and Ransom Notes The ransomware encrypts files on the device, appending a .crypt extension to filenames. For each file, the encryptor also creates a .README_TO_RESTORE file, which serves as the ransom note. These notes provide information about the encryption and include a unique link to the threat actor’s Tor negotiation site.

Detection and Mitigation Strategies Detecting Abyss Locker without specific IOCs requires a multi-layered approach, including the use of anti-malware software, network traffic monitoring, security audits, and employee education. To mitigate the risk of Abyss Locker attacks, organizations should educate employees about ransomware risks, implement strong passwords, enable multi-factor authentication, update and patch systems regularly, and establish robust backup and disaster recovery processes.

Implications and Recommendations

The rise of ransomware attacks targeting ESXi servers has significant implications for cybersecurity. Here are some recommendations for organisations to protect their systems and data:

  1. Increased Vigilance for ESXi Environments: Given the increasing trend of ransomware attacks targeting ESXi environments, regular monitoring and auditing of these systems can help in early detection of any anomalies or signs of a breach.
  2. Understanding Common Misconfigurations: Some common misconfigurations with VMware security include lack of network segmentation, improper user access controls, and not keeping the systems updated with the latest patches. Addressing these misconfigurations can significantly enhance the security of VMware environments.
  3. Separate Security Zone for Infrastructure: It is advisable not to use the main Active Directory (AD) for infrastructure such as backups and VMware. Creating a separate security zone for these can help in limiting the potential damage in case of a breach.
  4. Regular Backups: Regular backups of critical data can help in quick recovery in case of a ransomware attack. These backups should be stored in a secure location, separate from the main network.
  5. Employee Training: Employees should be trained on the best practices for cybersecurity, including recognising phishing attempts, as these are often the entry point for ransomware attacks.
  6. Incident Response Plan: Organisations should have a robust incident response plan in place to quickly and effectively respond to any potential breaches.

Indicators of Compromise (IOCs)

IOC TypeIndicator

Source: AlienVault OTX Pulse

The Importance of Sharing Samples and IOCs

No public samples of Abyss were found whilst researching this post (July) however samples have since been made available within the open source intelligence community.

Sharing samples of malware and Indicators of Compromise (IOCs) is a crucial aspect of cybersecurity. It allows researchers and security teams to analyze the threat, understand its behavior, and develop effective countermeasures.

  1. Aiding Attribution: By sharing samples, the cybersecurity community can work together to attribute attacks to specific threat actors or groups. This collaborative effort can help in understanding the tactics, techniques, and procedures (TTPs) of these threat actors, their targets, and their motivations. Attribution can also support law enforcement in their efforts to apprehend and prosecute cybercriminals.
  2. Defensive Improvements: Sharing IOCs allows organizations to improve their defenses by updating their security systems to detect and block known threats. It enables the development of specific signatures for intrusion detection systems, the creation of firewall rules, and the improvement of antivirus software. Moreover, it helps in educating the workforce about the latest threats and how to avoid them.
  3. Threat Intelligence: Shared samples contribute to the overall threat intelligence, which is vital for proactive defense. By understanding the evolving threat landscape, organizations can anticipate future attacks and take preventive measures.

The Consequences of Lack of IOCs

A lack of IOCs can play into the adversaries’ goals in several ways:

  1. Stealth and Persistence: Without known IOCs, threat actors can operate undetected for longer periods, increasing the potential damage they can cause. They can maintain persistence within the network, exfiltrate more data, or spread to more systems.
  2. Hindrance to Defense: A lack of IOCs hinders the development of effective defenses. Without specific details about the malware or attack, it’s challenging to create accurate detection rules or improve security systems.
  3. Difficulty in Attribution: Without IOCs, attributing the attack to a specific threat actor or group becomes difficult. This lack of attribution can allow threat actors to continue their operations without fear of being identified or caught.

In conclusion, sharing samples and IOCs is a collective responsibility of the cybersecurity community. It not only helps in understanding and mitigating the current threats but also plays a vital role in preparing for future ones. The absence of this crucial information can lead to prolonged stealth operations by the adversaries, hindrance in defense mechanism improvements, and difficulties in attributing the attacks to specific threat actors.

Further Reading

  1. Bleeping Computer: This article discusses how the Abyss Locker operation has developed a Linux encryptor to target VMware’s ESXi virtual machines platform.
  2. SC Magazine: This brief reports that VMware ESXi servers have been subjected to attacks involving a Linux version of the Abyss Locker ransomware.
  3. Security Affairs: This article warns about a Linux variant of the Abyss Locker designed to target VMware ESXi servers.
  4. Cyware Alerts – Hacker News: This news alert reports a new variant of the Abyss Locker ransomware designed to target Linux-based VMware ESXi servers.
  5. Cyberpills.news: This article provides an analysis and preventive actions against a variant of ransomware called Abyss Locker, now attacking VMware ESXi servers on Linux.