About This Threat Profile
First Identified: 2023
Operation style:
Unverified, likely a private operation.
Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.
Most frequently targeted industry:
- Industrials (Manufacturing)
Most frequently targeted victim HQ region: United States, North America
Known Associations:
- Babuk Ransomware
- HelloKitty Ransomware
- Infoleak222
Description
Abyss (AKA Abyss Locker) ransomware operation has been active since, at least, March 2023 and participates in the double extortion method, where victims’ data is stolen and leaked if the ransom demand is not paid. Abyss operates a Linux variant and focuses targeting on VMware ESXi instances.
The Abyss variant is based on the Babuk ransomware source code, while their encryption methods are similar to the HelloKitty ransomware method. The ransomware uses the ChaCha encryption method to encrypt files on the affected network.
The ransomware starts by creating a log file “work.log” to store the contents of the results from each step of the encryption process on disk. This file is held in the same directory of the running encryptor. The ransomware then checks to see if it can get to the “libcrypto.so” library – if so, it uses it to get the address of a symbol, “’EVP_MD_CTX_new.” If not, the ransomware will display an error.
Prior to encryption, Abyss ransomware attempts to identify and kill each VM to allow for encryption. The ransomware uses all three shutdown options:
- “soft” attempts to gracefully shut down the VMs.
- “hard” shuts the VM down immediately without attempting to do so gracefully.
- “force” immediately shuts the VM down but may leave the instance in an unstable state. This command is used as a last resort.
Once the ransomware shuts down the VMs, the ransomware attempts to find and log all VM files on the network. The ransomware then attempts to process all the directories, skipping file system directories. Once it does so, it recursively iterates through each directory using the “DirEnt” structure. When it finds a file, it checks the file against the list to determine if it is an extension to skip.
The ransomware attempts to use the “daemon” function call to detach the program from the controlling terminal. It does not change the std input, output, or error redirects. The sample then starts a new threat using the “pthread_create” call.