MalwareHunterTeam recently uncovered a new variant of Abyss Locker ransomware specifically designed to target Linux-based VMware ESXi servers. This variant is a part of the larger Abyss ransomware family, which has been active since 2019, targeting various platforms and systems.
How does it work?
The Linux version of Abyss Locker utilizes sophisticated attack techniques to gain unauthorized access to VMware ESXi servers.
It leverages SSH brute force attacks to exploit weak or compromised credentials to gain entry into the system.
Once the ransomware gains access to the VMware ESXi server, it proceeds to encrypt virtual machines, rendering them inaccessible and unusable.
Post-encryption, the threat actors drop ransom notes demanding payment in cryptocurrency, typically Bitcoin, for the decryption key.
Gazing into the Abyss
Abyss Locker, operating in the cybercrime landscape since 2019, showcases a rising trend of ransomware targeting Linux-based systems, once deemed less susceptible to such attacks. The ransomware actors claim to have pilfered data ranging from 35GB to 700GB from different companies.
Connection with HelloKitty?
Researchers believe that the Abyss Locker Linux encryptor has some overlaps with the HelloKitty ransomware.
According to Michael Gillespie of Bleeping Computer, the Abyss Locker Linux encryptor seems to be derived from HelloKitty, with the former using ChaCha encryption instead. HelloKitty generally uses a combination of AES-256 and RSA-2048 or even NTRU+AES-128.
It remains unclear whether this is a rebranding of the HelloKitty operation or if another ransomware group obtained access to the encryptor's source code.
Conclusion
The discovery of the Linux variant of Abyss Locker underscores the evolving nature of ransomware attacks. Moreover, the operators behind Abyss Locker are highly skilled and have a history of launching targeted attacks against high-value assets. System administrators and organizations using VMware ESXi servers are advised to review their security measures and implement best practices for securing SSH access and credentials.