Abyss Ransomware: Dark Web Insights from SOCRadar® Cyber Intelligence Inc.

Abyss Locker, also known as Abyss Ransomware, emerged in 2023 as a potent threat targeting Windows and Linux systems across multiple industries with advanced encryption and multi-extortion tactics. It expanded from Windows to VMware ESXi/Linux environments and leverages dark web/TOR channels for data leaks and ransom negotiations.

Keypoints

Abyss Locker ransomware first appeared in 2023 and has rapidly gained notoriety.
Targets multiple industries, including finance, manufacturing, healthcare, and technology.
Utilizes advanced encryption techniques and multi-extortion tactics.
Initially focused on Windows systems, but has expanded to Linux environments, particularly VMware ESXi.
Employs sophisticated tactics such as lateral movement, service termination, and data exfiltration.
Primarily targets the United States, with significant activity in Germany, the UK, and other countries.
Defensive measures include advanced anti-malware, security audits, strong authentication, and continuous employee training.

MITRE Techniques

[T1566] Phishing – Abyss Locker often gains initial access through phishing emails, tricking users into downloading malicious attachments or clicking on malicious links. (‘Abyss Locker often gains initial access through phishing emails, tricking users into downloading malicious attachments or clicking on malicious links.’)
[T1078] Valid Accounts – The group may leverage stolen credentials to access targeted systems, especially through weak SSH configurations. (‘The group may leverage stolen credentials to access targeted systems, especially through weak SSH configurations.’)
[T1059] Command and Scripting Interpreter – Uses various scripting languages and command-line interfaces to execute malicious code on the victim’s systems. (‘Uses various scripting languages and command-line interfaces to execute malicious code on the victim’s systems.’)
[T1569.002] System Services: Service Execution – Executes its payloads by abusing legitimate system services. (‘Executes its payloads by abusing legitimate system services.’)
[T1547] Boot or Logon Autostart Execution – Establishes persistence by modifying system boot configurations, ensuring malicious processes start automatically upon reboot. (‘Establishes persistence by modifying system boot configurations, ensuring malicious processes start automatically upon reboot.’)
[T1543] Create or Modify System Process – May create or modify system processes to maintain persistence. (‘May create or modify system processes to maintain persistence.’)
[T1068] Exploitation for Privilege Escalation – Exploits vulnerabilities or misconfigurations to gain elevated privileges on compromised systems. (‘Exploits vulnerabilities or misconfigurations to gain elevated privileges on compromised systems.’)
[T1027] Obfuscated Files or Information – Uses obfuscation techniques to hide malicious code and avoid detection by security tools. (‘Uses obfuscation techniques to hide malicious code and avoid detection by security tools.’)
[T1562.001] Disable or Modify Tools – Disables or modifies security tools and services to evade detection and prevent recovery. (‘Disables or modifies security tools and services to evade detection and prevent recovery.’)
[T1070] Indicator Removal on Host – Deletes system logs, Volume Shadow Copies, and other traces to hinder forensic analysis and data recovery efforts. (‘Deletes system logs, Volume Shadow Copies, and other traces to hinder forensic analysis and data recovery efforts.’)
[T1110] Brute Force – Attempts to gain access to accounts by performing brute-force attacks, especially on SSH accounts. (‘Attempts to gain access to accounts by performing brute-force attacks, especially on SSH accounts.’)
[T1018] Remote System Discovery – Scans the network to identify other systems for lateral movement and increased impact. (‘Scans the network to identify other systems for lateral movement and increased impact.’)
[T1082] System Information Discovery – Gathers information about the system’s configuration and network environment to tailor its attack. (‘Gathers information about the system’s configuration and network environment to tailor its attack.’)
[T1021.002] Remote Services: SMB/Windows Admin Shares – Uses compromised credentials to move laterally across the network via SMB or Windows Admin Shares. (‘Uses compromised credentials to move laterally across the network via SMB or Windows Admin Shares.’)
[T1005] Data from Local System – Collects sensitive data from local systems before encrypting it for leverage in ransom demands. (‘Collects sensitive data from local systems before encrypting it for leverage in ransom demands.’)
[T1041] Exfiltration Over C2 Channel – Exfiltrates stolen data to command and control (C2) servers for use in extortion. (‘Exfiltrates stolen data to command and control (C2) servers for use in extortion.’)
[T1486] Data Encrypted for Impact – Encrypts files on compromised systems, making them inaccessible without paying the ransom for the decryption key. (‘Encrypts files on compromised systems, making them inaccessible without paying the ransom for the decryption key.’)
[T1489] Service Stop – Stops critical services and processes, such as databases and backups, to maximize damage and increase ransom payment likelihood. (‘Stops critical services and processes, such as databases and backups, to maximize damage and increase ransom payment likelihood.’)

Indicators of Compromise

[Hash Value] – Indicators of hash values associated with Abyss Locker samples; example hashes include 3B55904D3B37C810FC230B991A257939, 2E4C626E67DF46B2A7258E73C04C4F73, and 23 more hashes
[File Indicator] – File indicators observed in the campaigns, including .XPbS1, 5620e71084c3bdc87a2522d4f5ad548a, and 1 more indicator

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print