The Abyss Locker ransomware group has emerged as a significant cyber threat, targeting critical network devices such as VMware ESXi servers, NAS devices, and VPN appliances.
This ransomware operation, active since 2023, employs advanced tactics to infiltrate networks, exfiltrate sensitive data, and encrypt systems for financial extortion.
Its focus on virtualized environments underscores the growing vulnerability of enterprise infrastructures reliant on virtual machines.
Attack Methodology
Abyss Locker’s attack flow begins with exploiting unpatched vulnerabilities in network devices like VPN appliances.
For instance, attackers have leveraged known flaws such as CVE-2021-20038 in SonicWall VPNs to gain initial access.
Once inside the network, they deploy tunneling tools and malware to establish persistence and facilitate lateral movement.
Credential harvesting is another key tactic. The group targets backup systems using tools like modified versions of the PowerShell script Veeam-Get-Creds.ps1 to extract credentials from Veeam backup systems.
Additionally, they dump Windows Security Account Manager (SAM) files and registry hives to obtain further credentials.
To evade detection, Abyss Locker disables endpoint protection tools by exploiting vulnerable drivers or deploying anti-virus killer executables.
They also use SSH/SOCKS tunneling tools like Chisel to maintain command-and-control (C2) communications across compromised devices.
Specific Targeting of VMware ESXi Servers
VMware ESXi servers are a prime target due to their widespread use in enterprise virtualized environments.
Abyss Locker deploys a Linux-based encryptor tailored for ESXi systems.
Using the esxcli command-line tool, the malware identifies and terminates virtual machines before encrypting associated files such as virtual disks (.vmdk), metadata (.vmsd), and snapshots (.vmsn). Encrypted files are appended with the .crypt extension, and ransom notes named README_TO_RESTORE are left behind.
The ransomware also enables SSH access on ESXi hosts if disabled, using them as pivot points for further network reconnaissance and attacks.
According to the Sygnia report, Abyss Locker employs double-extortion techniques by exfiltrating data before encryption.
The stolen data is used as leverage to pressure victims into paying a ransom under the threat of public exposure on their Tor-based leak site. Data volumes stolen from victims reportedly range from 35 GB to 700 GB.
Organizations can mitigate the risk of Abyss Locker attacks by adopting robust cybersecurity practices:
- Patch Management: Regularly update all network devices and software to address known vulnerabilities.
- Network Segmentation: Isolate critical systems like ESXi servers and NAS devices into separate VLANs with strict firewall rules.
- Credential Protection: Implement privileged access management (PAM) solutions and enforce multi-factor authentication (MFA) for administrative accounts.
- Endpoint Security: Enable tamper protection for security tools and restrict the installation of unsigned drivers.
- Monitoring and Detection: Deploy centralized logging solutions to detect anomalies such as rapid file changes or unauthorized SSH activity.
With its focus on critical infrastructure and virtualized environments, Abyss Locker represents a sophisticated threat that requires proactive defense strategies.
Enterprises must remain vigilant against this evolving ransomware operation to safeguard their networks and data assets.
