FortiGuard Labs has released a report detailing the emergence and impact of the Abyss Locker ransomware, which has been targeting Microsoft Windows and Linux platforms.
Abyss Locker, believed to be based on the HelloKitty ransomware source code, has been stealing and encrypting victims’ files, demanding ransom for file decryption, and preventing the release of stolen data.
The severity level of this ransomware is classified as high. The first Abyss Locker sample was detected in July 2023, but the ransomware’s origins may date even further.
The Windows version of Abyss Locker was discovered in January 2024, with a second version shortly after. The Linux variant, which targets VMware ESXi systems, has also been identified.
You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.
The Windows version of Abyss Locker performs several actions to ensure the successful encryption of files. It deletes Volume Shadow Copies and system backups using commands like vssadmin.exe delete shadows /all /quiet
and wmic SHADOWCOPY DELETE
.
It also sets the boot status policy to disable automatic repair and ignore all boot failures.
The ransomware encrypts files and changes the file extension to “.abyss” or a random five-letter extension for the version 1 variant.
A ransom note titled “WhatHappened.txt” is dropped, and the desktop wallpaper is replaced with a message demanding a ransom.
The Linux version of Abyss Locker uses the esxcli
command-line tool to manage VMware ESXi systems. It attempts to gracefully shut down running VMs before encrypting files with a “.crypt” extension.
A ransom note with the “.README_TO_RESTORE” extension is created for each encrypted file.
Both versions of the ransomware avoid encrypting specific file extensions and directories to maintain the system’s operability and ensure the victim can communicate with the attackers for ransom negotiation, reads Fortinet report.
The infection vector for Abyss Locker is not specified, but it is likely similar to other ransomware groups.
The ransomware samples have been submitted from various regions, indicating a widespread attack.
While no current data leak site exposes victims’ names, a ransom negotiation site on TOR is available. The ransom demands vary, with higher amounts typically set for consumers.
The Abyss Locker ransomware poses a significant threat to Windows and Linux users, particularly those utilizing VMware ESXi systems.
Abyss Locker Ransomware File IOCs
SHA2 | Note |
72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462 | Abyss Locker v2 (Linux) |
3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d | Abyss Locker v2 (Windows) |
9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc | Abyss Locker v1 (Windows) |
0763e887924f6c7afad58e7675ecfe34ab615f4bd8f569759b1c33f0b6d08c64 | Abyss Locker v1 (Windows) |
dee2af08e1f5bb89e7bad79fae5c39c71ff089083d65da1c03c7a4c051fabae0 | Abyss Locker v1 (Windows) |
e6537d30d66727c5a306dc291f02ceb9d2b48bffe89dd5eff7aa2d22e28b6d7c | Abyss Locker v1 (Windows) |
1d04d9a8eeed0e1371afed06dcc7300c7b8ca341fe2d4d777191a26dabac3596 | Abyss Locker v1 (Windows) |
1a31b8e23ccc7933c442d88523210c89cebd2c199d9ebb88b3d16eacbefe4120 | Abyss Locker v1 (Windows) |
25ce2fec4cd164a93dee5d00ab547ebe47a4b713cced567ab9aca4a7080afcb7 | Abyss Locker v1 (Windows) |
b524773160f3cb3bfb96e7704ef31a986a179395d40a578edce8257862cafe5f | Abyss Locker v1 (Windows) |
362a16c5e86f13700bdf2d58f6c0ab26e289b6a5c10ad2769f3412ec0b2da711 | Abyss Locker v1 (Windows) |
e5417c7a24aa6f952170e9dfcfdf044c2a7259a03a7683c3ddb72512ad0cd5c7 | Abyss Locker v1 (Windows) |
056220ff4204783d8cc8e596b3fc463a2e6b130db08ec923f17c9a78aa2032da | Abyss Locker v1 (Windows) |
877c8a1c391e21727b2cdb2f87c7b0b37fb7be1d8dd2d941f5c20b30eb65ee97 | Abyss Locker v1 (Windows) |
2e42b9ded573e97c095e45dad0bdd2a2d6a0a99e4f7242695054217e2bba6829 | Abyss Locker v1 (Windows) |
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…