Articles

Abyss Locker Ransomware – Updated Profile

ByThreat Analyst

25 February 2026 ,

We originally wanted to cover this locker in 2023 but were unable to acquire samples from the community. This profile reflects the currently available information as a resource as an update.


Abyss Locker, Abyss ransomware, ESXi ransomware, SonicWall SMA, CVE-2021-20038, Chisel, Rclone, Veeam credential theft, SSH tunnelling, double extortion, BYOVD

1. Executive Summary

Abyss Locker (also referred to as “Abyss”) is a double-extortion ransomware operation active since at least 2023, with a recurring focus on virtualisation infrastructure (notably VMware ESXi), edge devices, and backup systems. According to Sygnia’s incident analysis, intrusions commonly start from compromised perimeter appliances (including SonicWall SMA), followed by credential harvesting from backup infrastructure, widespread tunnelling for resilient C2, and multi-platform encryption. Public reporting now includes a materially improved set of indicators (file hashes, paths, services, IPs, and tooling artefacts) compared to early 2023 coverage, enabling more deterministic hunting and detection. (Sygnia)

2. Contextual Background

2.1 Nature of the threat

Abyss Locker is tracked as ransomware with Windows and Linux/ESXi capability, associated in multiple reports with Babuk/HelloKitty lineage and functionality (including ESXi VM shutdown prior to encryption and log artefacts such as work.log). See Fortinet’s ransomware roundup and Blackpoint’s Abyss ransomware profile (PDF). (Fortinet)

Perimeter exploitation commonly referenced in Abyss Locker intrusions:

2.2 Threat-actor attribution

Attribution: Possible. Public sources generally describe “Abyss Locker operators” rather than linking to a named, enduring threat-actor identity with a high-confidence government or top-tier vendor attribution. Reporting supports consistent tradecraft (edge-device exploitation, tunnelling, backup targeting, multi-platform encryption), but does not conclusively tie Abyss Locker to a single well-established actor profile in the way some larger ransomware ecosystems are tracked. (Sygnia)

2.3 Sector and geographic targeting

Victimology reporting is broad and opportunistic, with victims across multiple regions and sectors. Fortinet notes submissions/observations across Europe, the Americas, and Asia, while Sygnia describes enterprise intrusions with prioritisation of critical infrastructure components (VPN appliances, NAS, ESXi). Blackpoint reporting includes observed targeting spanning multiple industries and regions (based on their dataset/time window). (Fortinet)

3. Technical Analysis

3.1 TTPs and tradecraft (with MITRE ATT&CK mapping)

The most consistently described Abyss Locker intrusion pattern across higher-quality reporting (Sygnia, Fortinet, and Blackpoint PDF) includes:

Initial access and foothold

  • Exploitation of unpatched edge/VPN appliances such as SonicWall SMA (example: CVE-2021-20038) – T1190. (Sygnia)
  • Use of compromised credentials and remote services (SSH/RDP/SMB) – T1078 and T1021.004. (Blackpoint)

Credential access and privilege

  • Targeting backup infrastructure (notably Veeam) using modified credential-recovery scripts – T1059.001 (PowerShell) and credential harvesting from backup stores (tool-based). (Sygnia)
  • Dumping SAM and SECURITY hives (Windows credential material) – T1003.002 and/or T1003.004 depending on implementation described. (Sygnia)

Defence evasion

  • Disabling Defender via registry policy – T1112 and T1562.001. (Sygnia)
  • BYOVD using known vulnerable drivers (examples cited: UpdateDrv.sys, ped.sys, 3ware.sys) and AV/EDR killer tooling (SophosAV.exe, auSophos.exe) – T1562.001 and T1105 (tool transfer). (Sygnia)

Command and control

  • Heavy reliance on SSH/SOCKS tunnelling, including Chisel, native SSH, and service-wrapped persistence – T1090.001 (proxy) and T1572 (protocol tunnelling). (Sygnia)

Lateral movement

  • PsExec and Impacket tooling for lateral execution – T1021.002 (SMB/Windows Admin Shares) and T1570 (lateral tool transfer). (Sygnia)

Exfiltration

  • Use of Rclone (often renamed) to cloud storage (AWS, Backblaze cited) – T1567.002 (exfil to cloud storage). (Sygnia)

Impact

  • Multi-platform encryption with OS-specific extensions and ransom note patterns – T1486. (Sygnia)
  • Deletion of shadow copies/system backups is described in multiple summaries – T1490. (Fortinet)

3.2 Exploitation status

  • Edge-device exploitation is a primary risk driver: Sygnia directly describes exploitation of unpatched VPN appliances including SonicWall SMA via CVE-2021-20038 in observed intrusions. (Sygnia)
  • CVE-2021-20038 is confirmed exploited in the wild: It is listed in CISA’s KEV catalogue and tied to real-world exploitation activity. (cisa.gov)
  • PoC availability: Public research coverage exists for CVE-2021-20038 and related SonicWall SMA flaws (for example Rapid7’s write-up on the SMA vulnerability set). Link: Rapid7 analysis of SonicWall SMA vulnerabilities. (Rapid7)

4. Impact Assessment

4.1 Severity and scope

  • CVE-2021-20038 carries a CVSS v3.1 base score of 9.8 (Critical) in NVD, reflecting high likelihood of perimeter compromise where exposed/unpatched. (nvd.nist.gov)
  • Operational impact is amplified in virtualised estates: ESXi encryption can disrupt multiple workloads simultaneously and complicate recovery sequencing (shutdown of VMs prior to encryption is described in Abyss tradecraft). (Blackpoint)

4.2 Victim profile

Observed targets align with typical enterprise ransomware economics: organisations operating exposed edge appliances, centralised backup infrastructure, and virtualisation/NAS platforms. Public summaries indicate global spread rather than a single-region campaign. (Sygnia)

5. Indicators of Compromise (IOCs)

5.1 IOC table

TypeValueContext/NotesSource
IP:Port64.95.12[.]57:443C2 endpoint referenced in Windows SSH tunnelling service configuration (wmihelper.xml)Sygnia analysis (Sygnia)
File (Windows)C:\Users\<USER>\AppData\Roaming\Microsoft\Wmi\wmihelper.exeWinSW-wrapped SSH tunnelling backdoor componentSygnia analysis (Sygnia)
File (Windows)C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Wmi\wmihelper.exeSame backdoor deployed under SYSTEM profileSygnia analysis (Sygnia)
SHA159a97f9d7c1d6e10fa41ea9339568fb25ec55e27wmihelper.exe hashSygnia analysis (Sygnia)
SHA25605b82d46ad331cc16bdc00de5c6332c1ef818df8ceefcd49c726553209b3a0dawmihelper.exe hashSygnia analysis (Sygnia)
ServiceWMI Helper AgentPersistence service name used for tunnelling backdoorSygnia analysis (Sygnia)
Filewmihelper.xmlService wrapper configuration referencing reverse port-forwardingSygnia analysis (Sygnia)
Filewmihelper.keyPrivate key file used for SSH authenticationSygnia analysis (Sygnia)
File (key)C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Wmi\wmihelper.keyKey location called out in observed deploymentSygnia analysis (Sygnia)
File (Linux/NAS)/bin/apache2Chisel masqueraded as apache2 on NAS to evade detectionSygnia analysis (Sygnia)
SHA13f90fd241e9422cc447b5ccdcb87d72507f37e6fChisel hash (masqueraded deployment)Sygnia analysis (Sygnia)
SHA2566042a84529958a04a2d46384139da3ef016bf9498e791cd5e34dfecec2baa1d2Chisel hash (masqueraded deployment)Sygnia analysis (Sygnia)
File (Windows)C:\Windows\uFmAnlZR.exeRemcom/PsExec-like lateral tooling artefactSygnia analysis (Sygnia)
SHA2563c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71Remcom hashSygnia analysis (Sygnia)
File (Linux)/tmp/e.elfLinux encryptor staging pathSygnia analysis (Sygnia)
SHA2565fba25759423f9efc92592977f6c9ff77d47a20aa8ec8e9cd17d5cfa786a1852Linux encryptor hashSygnia analysis (Sygnia)
File (Windows)C:\Users\<USER>\Desktop\e\e.exeWindows encryptor staging pathSygnia analysis (Sygnia)
SHA256cd9d88cccd85209966c5a35aba7751b962bcc021a4216d6addfc0c3462ce80daWindows encryptor hashSygnia analysis (Sygnia)
FileC:\Windows\System32\LTSVC.exeRclone renamed to evade detectionsSygnia analysis (Sygnia)
FileC:\Windows\System32\filter.txtRclone filter file referenced in activitySygnia analysis (Sygnia)
FileC:\Windows\Temp\SophosAV.exeAV/EDR killer componentSygnia analysis (Sygnia)
FileC:\ProgramData\USOShared\auSophos.exeAV/EDR killer componentSygnia analysis (Sygnia)
SHA256f9ab649acfe76d6ac088461b471e5d981bdc8b71d940e94c63bc1988a2ed4678UpdateSvc.exe hash (EDR/AV disabling tooling)Sygnia analysis (Sygnia)
ServiceUpdateSVCService name used with disabling toolSygnia analysis (Sygnia)
RegistryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware=1Defender disablement via policy keySygnia analysis (Sygnia)
Ransom noteWhatHappened.txtWindows ransom note name (also reported broadly)Fortinet roundup (Fortinet)
Ransom note*.README_TO_RESTOREESXi/Linux ransom note extension (reported broadly)Fortinet roundup (Fortinet)
Encrypted ext (Windows).abyssCommon encrypted extension on WindowsFortinet roundup (Fortinet)
Encrypted ext (ESXi/Linux).cryptCommon encrypted extension on ESXi/LinuxSygnia analysis (Sygnia)
SHA25672310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462Abyss Locker v2 (Linux) sample hashFortinet roundup (Fortinet)
SHA2563fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6dAbyss Locker v2 (Windows) sample hashFortinet roundup (Fortinet)
SHA2569243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdcAbyss Locker v1 (Windows) sample hashFortinet roundup (Fortinet)
Onion (leak site)hxxp://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd[.]onion/Data leak site reference (defanged)Blackpoint profile (PDF) (Blackpoint)

5.2 Detection guidance (public rules and practical hunts)

Sigma (process creation / behavioural)

Hunting notes aligned to Abyss tradecraft

  • Look for renamed binaries and service-wrapped tunnelling. Sygnia explicitly describes WinSW usage and service installation for an SSH tunnel (“WMI Helper Agent”), with supporting artefacts wmihelper.xml and wmihelper.key. (Sygnia)
  • Rclone masquerading: hunt for LTSVC.exe (or other renamed binaries) invoking typical Rclone verbs (sync/copy) and creation/use of filter files (for example filter.txt). (Sygnia)

YARA (community)

6. Incident Response Guidance

6.1 Containment, eradication, recovery

  1. Contain edge-device risk immediately: identify exposed SonicWall SMA appliances; patch per SonicWall guidance for CVE-2021-20038 and validate remediation with external scanning where appropriate. (psirt.global.sonicwall.com)
  2. Isolate high-value pivots: quarantine ESXi hosts, NAS devices, and backup appliances from east-west traffic; specifically restrict outbound SSH/HTTPS from these assets to the internet (Sygnia shows these are used as durable tunnelling points). (Sygnia)
  3. Kill known persistence: remove “WMI Helper Agent” (and any unknown WinSW-style wrapper services), delete wmihelper.* artefacts, and block the referenced C2 (64.95.12[.]57:443) at perimeter and host controls. (Sygnia)
  4. Credential reset sequence: prioritise Veeam/backup service accounts, domain admins, and any accounts observed authenticating to ESXi/NAS; Sygnia’s flow highlights backup credential harvesting as a pivot to broad access. (Sygnia)
  5. Recovery: validate backups are not tampered with (Abyss tradecraft includes backup disruption and shadow copy deletion); restore in phases (identity, core services, then workloads), and confirm ESXi hosts are rebuilt from trusted media rather than “cleaned in place”. (Fortinet)

6.2 Forensic artefacts to preserve

  • SonicWall SMA appliance logs and filesystem (where feasible), including evidence of CVE-2021-20038 exploitation. (psirt.global.sonicwall.com)
  • Windows: Security logs, PowerShell logs, Sysmon (process creation + file create), registry audit for Defender policy key modifications. (Sygnia)
  • ESXi: hostd.log, authentication logs, and evidence of SSH daemon enablement and outbound SSH sessions. (Sygnia)
  • NAS: DSM audit trails (synoconndb referenced by Sygnia), user creation events (notably support), bash history tampering evidence. (Sygnia)
  • Exfil: rclone configs, renamed binaries (LTSVC.exe), and cloud access logs (AWS/Backblaze) for large outbound transfers. (Sygnia)

6.3 Lessons learned

  • Abyss Locker highlights the operational cost of treating edge devices, backup, ESXi, and NAS as “appliances” outside standard EDR and monitoring controls. The tradecraft explicitly abuses those blind spots for persistence and pivoting. (Sygnia)

7. Threat Intelligence Contextualisation

7.1 Comparison with similar incidents

Abyss Locker’s emphasis on ESXi, pre-encryption VM handling, and the use of tunnelling from infrastructure nodes aligns with broader ESXi-targeting ransomware evolution discussed across industry reporting. Early coverage specifically notes Abyss Locker’s Linux encryptor targeting ESXi. See BleepingComputer’s July 2023 reporting and supporting summaries. (BleepingComputer)

7.2 Full MITRE ATT&CK mapping (observed in cited reporting)

TacticTechnique IDTechnique NameObserved Behaviour
Initial AccessT1190Exploit Public-Facing ApplicationExploitation of unpatched VPN appliances (example: SonicWall SMA CVE-2021-20038)
Initial AccessT1078Valid AccountsUse of compromised credentials to access internal systems and devices
ExecutionT1059.001PowerShellExecution of modified Veeam credential recovery scripts (e.g., veeam11.ps1)
Credential AccessT1003.002OS Credential Dumping: Security Account ManagerSAM/SECURITY hive dumping described by Sygnia
Defence EvasionT1112Modify RegistryDefender policy key modification (DisableAntiSpyware)
Defence EvasionT1562.001Impair Defences: Disable or Modify ToolsEDR removal/stop; AV/EDR killer tooling; BYOVD drivers referenced
Command and ControlT1572Protocol TunnelingSSH-based reverse tunnels; SOCKS tunnelling described
Command and ControlT1090.001Proxy: Internal ProxyChisel and SSH/SOCKS used to proxy and pivot through critical devices
Lateral MovementT1021.002Remote Services: SMB/Windows Admin SharesPsExec and Impacket family tooling for lateral movement
Collection/ExfiltrationT1567.002Exfiltration to Cloud StorageRclone used (renamed) to exfiltrate to cloud storage providers
ImpactT1486Data Encrypted for ImpactWindows .abyss, ESXi/Linux .crypt; ransom notes WhatHappened.txt / README_TO_RESTORE
ImpactT1490Inhibit System RecoveryShadow copy / backup disruption behaviours described in summaries

(Sygnia)

8. Mitigation Recommendations

8.1 Hardening and security controls

  • Edge device governance: reduce exposure of SMA/SSLVPN management surfaces, enforce MFA for admin access, and monitor for anomalous post-auth activity on perimeter devices. (Sygnia)
  • Segment and restrict egress from “appliances” (ESXi, NAS, VPN, backup): Sygnia’s findings show these nodes are leveraged as stable tunnelling points; apply strict outbound policies and alert on SSH/HTTPS sessions from these devices. (Sygnia)
  • Backup security: isolate backup management planes, enforce immutable storage, and restrict backup service account privileges (Sygnia highlights backup appliances as a credential access target). (Sygnia)
  • Driver and kernel control: implement controls to prevent BYOVD, block vulnerable driver installation, and enable EDR tamper protection. (Sygnia)

8.2 Patch management priorities

  1. Immediate priority: CVE-2021-20038 on SonicWall SMA 100 series.
  2. Operational workarounds if patching is delayed (risk-acceptance only): limit exposure of VPN interfaces, restrict by source IP/geo where feasible, and increase monitoring for exploitation artefacts and anomalous admin activity (aligned to Sygnia’s “secure edge devices” defensive guidance). (Sygnia)

9. Historical Context & Related Vulnerabilities

  • Abyss Locker’s ESXi targeting fits the broader ransomware trend of Linux/ESXi encryptors becoming standard across major groups, as documented in early 2023 reporting. See BleepingComputer’s Abyss Locker ESXi coverage and related industry summaries. (BleepingComputer)
  • Related perimeter risk: SonicWall SMA vulnerabilities, including CVE-2021-20038, remain repeatedly referenced in ransomware access chains due to exposure prevalence and high impact. (Rapid7)

10. Future Outlook

  • Infrastructure-node tunnelling will persist: Sygnia’s reporting suggests Abyss Locker operators optimise for stable C2 by embedding tunnels in ESXi/NAS/VPN nodes, which are less monitored than endpoints. Defenders should expect continued masquerading and service-wrapped persistence around SSH/Chisel patterns. (Sygnia)
  • Backup-centric credential and recovery disruption will remain a centre of gravity: the focus on Veeam credential recovery and shadow-copy/backup deletion behaviours indicates a mature understanding of ransomware recovery choke points. (Sygnia)

11. Further Reading

Primary technical analysis

Early reporting / context

Vulnerability references

IOC Pack

Type,Value,Context,Source
ip_port,64.95.12[.]57:443,C2 endpoint in wmihelper.xml (SSH tunnel),Sygnia
file,C:\Users\<USER>\AppData\Roaming\Microsoft\Wmi\wmihelper.exe,WinSW-wrapped SSH tunnel backdoor,Sygnia
file,C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Wmi\wmihelper.exe,Backdoor under SYSTEM profile,Sygnia
sha1,59a97f9d7c1d6e10fa41ea9339568fb25ec55e27,wmihelper.exe,Sygnia
sha256,05b82d46ad331cc16bdc00de5c6332c1ef818df8ceefcd49c726553209b3a0da,wmihelper.exe,Sygnia
service,WMI Helper Agent,Persistence service name,Sygnia
file,wmihelper.xml,Service wrapper config,Sygnia
file,wmihelper.key,SSH private key,Sygnia
file,/bin/apache2,Chisel masqueraded as apache2 on NAS,Sygnia
sha1,3f90fd241e9422cc447b5ccdcb87d72507f37e6f,Chisel binary,Sygnia
sha256,6042a84529958a04a2d46384139da3ef016bf9498e791cd5e34dfecec2baa1d2,Chisel binary,Sygnia
file,C:\Windows\uFmAnlZR.exe,Remcom lateral tool,Sygnia
sha256,3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71,Remcom,Sygnia
file,/tmp/e.elf,Linux encryptor staging,Sygnia
sha256,5fba25759423f9efc92592977f6c9ff77d47a20aa8ec8e9cd17d5cfa786a1852,Linux encryptor,Sygnia
file,C:\Users\<USER>\Desktop\e\e.exe,Windows encryptor staging,Sygnia
sha256,cd9d88cccd85209966c5a35aba7751b962bcc021a4216d6addfc0c3462ce80da,Windows encryptor,Sygnia
file,C:\Windows\System32\LTSVC.exe,Rclone renamed,Sygnia
file,C:\Windows\System32\filter.txt,Rclone filter file,Sygnia
file,C:\Windows\Temp\SophosAV.exe,AV/EDR killer,Sygnia
file,C:\ProgramData\USOShared\auSophos.exe,AV/EDR killer,Sygnia
sha256,f9ab649acfe76d6ac088461b471e5d981bdc8b71d940e94c63bc1988a2ed4678,UpdateSvc.exe,Sygnia
service,UpdateSVC,Disabling tool service name,Sygnia
registry,HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware=1,Defender policy modification,Sygnia
ransom_note,WhatHappened.txt,Windows ransom note,Fortinet
ransom_note,*.README_TO_RESTORE,ESXi/Linux ransom note extension,Fortinet
encrypted_ext,.abyss,Windows encrypted extension,Fortinet
encrypted_ext,.crypt,ESXi/Linux encrypted extension,Sygnia
sha256,72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462,Abyss Locker v2 Linux,Fortinet
sha256,3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d,Abyss Locker v2 Windows,Fortinet
sha256,9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc,Abyss Locker v1 Windows,Fortinet
onion,hxxp://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd[.]onion/,Leak site (defanged),Blackpoint

ByThreat Analyst

Related Post

Articles

DPRK fake interview lures and recruitment-driven access operations summary

25 February 2026 Threat Analyst
Articles

SANDWORM_MODE: npm supply-chain worm poisons CI workflows and AI coding assistants

24 February 2026 Threat Analyst
Articles

Lazarus-linked activity using Medusa ransomware

24 February 2026 Threat Analyst

You missed

Vulnerabilities_Exploits

Active exploitation of Cisco Catalyst SD-WAN via UAT-8616 (CVE-2026-20127)

25 February 2026 Threat Analyst
Articles

DPRK fake interview lures and recruitment-driven access operations summary

25 February 2026 Threat Analyst
Articles

Abyss Locker Ransomware – Updated Profile

25 February 2026 Threat Analyst
Vulnerabilities_Exploits

SolarWinds Serv-U: Privileged RCE flaws patched in 15.5.4

24 February 2026 Threat Analyst