Threat Research

Unveiling Abyss Locker: The Rapid Rise of a Menacing Ransomware Threat – Blogs on Information Technology, Network & Cybersecurity | Seqrite

Seqrite

Abyss Locker is a fast-emerging ransomware family (linked to HelloKitty) that targets Windows and Linux environments — including VMware ESXi — and has shifted its cipher from AES to Salsa20. The malware terminates services and processes, deletes shadow copies, creates a ‘DontWorryBeHappy’ mutex, excludes specific files/folders/extensions, encrypts with Salsa20 using multithreading, and drops ‘WhatHappened.txt’ ransom notes with a Tor contact link. #AbyssLocker #HelloKitty #ESXi #Salsa20

Keypoints

  • First observed in 2023, Abyss Locker targets both Windows and Linux systems and includes a bespoke Linux encryptor for VMware ESXi environments.
  • The group is linked to HelloKitty lineage and replaced its previous AES implementation with the salsa_20 encryption algorithm.
  • Before encryption, the malware creates a log, terminates a hardcoded list of services and processes to avoid interference, and creates a mutex named ‘DontWorryBeHappy’.
  • It removes recovery artifacts and disables boot recovery using commands like vssadmin, wmic SHADOWCOPY DELETE, and bcdedit to inhibit system recovery.
  • Abyss uses hardcoded exclusions for folders, files, and extensions, traverses the filesystem to skip them, and spawns encryption threads up to a 64-thread limit based on CPU cores.
  • Post-encryption actions include appending an extension (e.g., .Abyss), dropping ‘WhatHappened.txt’ ransom notes (with a Tor link) in directories and on the Desktop, and setting a ransom wallpaper.

MITRE Techniques

  • [T1489] Service Stop – The ransomware forcibly kills specified services and processes to prevent interference (‘It terminates the following services’ / ‘The following processes are killed:’).
  • [T1490] Inhibit System Recovery – Abyss deletes volume shadow copies and disables recovery/boot options using system utilities (‘vssadmin.exe delete shadows /all /quiet’, ‘wmic SHADOWCOPY DELETE’, ‘bcdedit / set{ default } recoveryenabled No’, ‘bcdedit / set{ default } bootstatuspolicy IgnoreAllFailures’).
  • [T1106] Native API – The malware uses native OS API behavior to check for and create a named mutex to control execution (‘It checks if there is any “DontWorryBeHappy” mutex present or not. Otherwise, it will create the mutex using the same name.’).
  • [T1059.003] Windows Command Shell – Command-line execution is used to run system utilities and recovery-inhibiting commands (‘It uses the following commands to delete the shadow copy and disable the recovery boot options’).
  • [T1486] Data Encrypted for Impact – Abyss encrypts victim files using the salsa_20 cipher and parallelizes encryption across threads (”It uses the salsa_20 encryption mechanism to encrypt the samples.” and ‘Encryption threads are created based on the number of existing processors, with a maximum limit of 64 threads.’).

Indicators of Compromise

  • [File hash] Sample hashes listed in the report – 3B55904D3B37C810FC230B991A257939, 2E4C626E67DF46B2A7258E73C04C4F73, and 8 more hashes.
  • [Filename] Ransom note name and locations – ‘WhatHappened.txt’ dropped on the Desktop and in each directory; contains a Tor link for attacker contact.
  • [Mutex] In-memory synchronization object – ‘DontWorryBeHappy’ checked/created by the malware to control execution.
  • [File extension] Encrypted file extension – appended extension such as ‘.Abyss’ applied after encryption.

Abyss Locker’s runtime begins by creating a log and checking/creating a mutex named ‘DontWorryBeHappy’ to manage execution. It then enumerates a hardcoded list of services and processes and terminates those entries via native API calls to prevent any running programs from blocking access to files. The malware also executes command-line utilities to inhibit recovery—examples include ‘vssadmin.exe delete shadows /all /quiet’, ‘wmic SHADOWCOPY DELETE’, and bcdedit changes that disable recovery and set the boot status policy to ignore failures.

The encryption routine runs in multiple threads—spawned according to available CPU cores, capped at 64 threads—and uses the Salsa20 algorithm for cryptographic operations. During file traversal the ransomware consults hardcoded exclusion lists for folders, filenames, and extensions so that specified items are skipped. After encryption completes, files receive an appended extension (e.g., .Abyss), a ransom note named ‘WhatHappened.txt’ (containing a Tor contact link) is dropped in directories and on the Desktop, and the desktop wallpaper is set to a ransom message.

Technically notable is the inclusion of a Linux encryptor designed to target VMware ESXi environments in addition to Windows builds, expanding impact across virtualized infrastructures. IOCs published include multiple sample hashes, the mutex name, ransom note filename, and the appended file extension; defenders should look for the listed commands, process/service termination patterns, and Salsa20-based file modifications when hunting for Abyss activity.

Read more: https://www.seqrite.com/blog/unveiling-abyss-locker-the-rapid-rise-of-a-menacing-ransomware-threat/