Jump to content
  • Linux version of Abyss Locker ransomware targets VMware ESXi servers

    aum

    • 621 views
    • 4 minutes
     Share


    • 621 views
    • 4 minutes

    The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise.

     

    As the enterprise shifts from individual servers to virtual machines for better resource management, performance, and disaster recovery, ransomware gangs create encryptors focused on targeting the platform.

     

    With VMware ESXi being one of the most popular virtual machine platforms, almost every ransomware gang has begun to release Linux encryptors to encrypt all virtual servers on a device.

     

    Other ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

     

    The Abyss Locker


    Abyss Locker is a relatively new ransomware operation that is believed to have launched in March 2023, when it began to target companies in attacks.

     

    Like other ransomware operations, the Abyss Locker threat actors will breach corporate networks, steal data for double-extortion, and encrypt devices on the network.

     

    The stolen data is then used as leverage by threatening to leak files if a ransom is not paid. To leak the stolen files, the threat actors created a Tor data leak site named 'Abyss-data' that currently lists fourteen victims.

     

    data-leak-site.jpg

    Abyss Locker data leak site
    Source: BleepingComputer

     

    The threat actors claim to have stolen anywhere between 35 GB of data from one company to as high as 700 GB at another.

     

    Targeting VMware ESXi servers


    This week, security researcher MalwareHunterTeam found a Linux ELF encryptor for the Abyss Locker operation and shared it with BleepingComputer for analysis.

     

    After looking at the strings in the executable, it is clear that the encryptor specifically targets VMware ESXi servers.

     

    As you can see from the commands below, the encryptor utilizes the 'esxcli' command-line VMware ESXi management tool to first list all available virtual machines and then terminate them.

     

    esxcli vm process list
    esxcli vm process kill -t=soft -w=%d
    esxcli vm process kill -t=hard -w=%d
    esxcli vm process kill -t=force -w=%d

     

    When shutting down the virtual machines, Abyss Locker will use the 'vm process kill' command and one of the soft, hard, or forced options.

     

    The soft option performs a graceful shutdown, the hard option terminates a VM immediately, and force is used as a last resort.

     

    The encryptor terminates all virtual machines to allow the associated virtual disks, snapshots, and metadata to be properly encrypted by encrypting all files with the following extensions: .vmdk (virtual disks), .vmsd (metadata), and .vmsn (snapshots).

     

    In addition to targeting virtual machines, the ransomware will also encrypt all other files on the device and append the .crypt extension to their filenames, as shown below.

     

    encrypted-files.jpg

    Encrypted files and ransom notes
    Source: BleepingComputer

     

    For each file, the encryptor will also create a file with a .README_TO_RESTORE extension, which acts as the ransom note.

     

    This ransom note contains information on what happened to the files and a unique link to the threat actor's Tor negotiation site. This site is barebones, only having a chat panel that can be used to negotiate with the ransomware gang.

     

    ransom-note.jpg

    Abyss Locker ransom note
    Source: BleepingComputer

     

    Ransomware expert Michael Gillespie said that the Abyss Locker Linux encryptor is based on Hello Kitty, using ChaCha encryption instead.

     

    However, it is not known if this is a rebrand of the HelloKitty operation or if another ransomware operation gained access to the encryptor's source code, as we saw with Vice Society.

     

    Unfortunately, HelloKitty has historically been a secure ransomware, preventing the recovery of files for free.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...