The Abyss Locker ransomware gang is now a threat to industrial control systems (ICS), enterprises, and public-sector organizations alike thanks to a custom Linux encryptor aimed at deep-sixing VMware’s ESXi virtualized environments.
According to KELA researchers (PDF), Abyss Locker was launched in March as part of a double-extortion ransomware gambit, in which data is both encrypted and exfiltrated for possible leaking if the victim doesn’t pay up. Version 2, first spotted by security researcher MalwareHunterTeam this month, now contains a Linux ELF encryptor variant that appears to be specifically aimed at ESXi virtual machines (VMs). So far, according to analysis, the group has claimed 14 victims.
Abyss Locker’s pivot is part of a larger trend. The widespread use of ESXi platform and the fact that the hypervisor that manages the VMs does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators.
Several ransomware collectives, including new kid on the block Akira, Black Basta, Cl0p, HelloKitty, IceFire, Hive, LockBit, MichaelKors, Royal, REvil, and others have all made the move to Linux and locking up ESXi machines. Stoking the trend is the release of the VMware-focused Babuk source code, which as of mid-May had spawned at least 10 EXSi-ready ransomware variants, according to a SentinelOne report at the time.
Ransomware hunter Michael Gillespie told BleepingComputer that Abyss Locker’s Linux encryptor appears to be based on the older HelloKitty ransomware, which was behind a string of high-profile attacks such as the Cyberpunk 2077 gaming attack two+ years ago.