Abyss Locker Ransomware Looks to Drown VMware's ESXi Servers

The 4-month-old ransomware gang is now actively targeting VMware's virtual environments with a second variant of its custom malware.

Dark Reading Staff, Dark Reading

July 31, 2023

1 Min Read
Stranded businessman lost at sea standing on an isolated rock as a business concept for despair or being lost
Source: Brain light via Alamy Stock Photo

The Abyss Locker ransomware gang is now a threat to industrial control systems (ICS), enterprises, and public-sector organizations alike thanks to a custom Linux encryptor aimed at deep-sixing VMware's ESXi virtualized environments.

According to KELA researchers (PDF), Abyss Locker was launched in March as part of a double-extortion ransomware gambit, in which data is both encrypted and exfiltrated for possible leaking if the victim doesn't pay up. Version 2, first spotted by security researcher MalwareHunterTeam this month, now contains a Linux ELF encryptor variant that appears to be specifically aimed at ESXi virtual machines (VMs). So far, according to analysis, the group has claimed 14 victims.

Abyss Locker's pivot is part of a larger trend. The widespread use of ESXi platform and the fact that the hypervisor that manages the VMs does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators.

Several ransomware collectives, including new kid on the block Akira, Black Basta, Cl0p, HelloKitty, IceFire, Hive, LockBit, MichaelKors, Royal, REvil, and others have all made the move to Linux and locking up ESXi machines. Stoking the trend is the release of the VMware-focused Babuk source code, which as of mid-May had spawned at least 10 EXSi-ready ransomware variants, according to a SentinelOne report at the time.

Ransomware hunter Michael Gillespie told BleepingComputer that Abyss Locker's Linux encryptor appears to be based on the older HelloKitty ransomware, which was behind a string of high-profile attacks such as the Cyberpunk 2077 gaming attack two+ years ago. 

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights