Keypoints
- Abyss Locker is derived from HelloKitty source code and has Windows and Linux variants (multiple versions observed).
- The actor steals victims’ data before running the ransomware payload.
- On Windows, the ransomware stops numerous database, backup, and security services and terminates many AV/administration processes.
- It deletes Volume Shadow Copies and adjusts BCD settings to disable automatic repair and ignore boot failures, preventing recovery.
- Windows builds append “.abyss” or a random five-letter extension; Linux builds append “.crypt” and create “.README_TO_RESTORE” notes.
- Extensive file- and folder-exclusion lists prevent encryption of system, application, and specific file types on both platforms.
- Linux variant includes ESXi VM shutdown/kill commands (esxcli vm process list / kill) to stop running VMs prior to encryption.
MITRE Techniques
- [T1005] Data from Local System – The actor collects files from the host prior to encryption (‘steals victims’ data before deploying and running its ransomware malware for file encryption.’)
- [T1486] Data Encrypted for Impact – The ransomware encrypts files and appends extensions (Windows: ‘.abyss’ or random five-letter; Linux: ‘.crypt’) (‘The Abyss Locker ransomware encrypts files on compromised machines and adds a “.crypt” extension’ / ‘adds a “.abyss” extension’).
- [T1490] Inhibit System Recovery – The malware deletes Volume Shadow Copies and disables recovery to prevent restores (‘vssadmin.exe delete shadows /all /quiet’ and ‘wmic SHADOWCOPY DELETE’; also uses ‘bcdedit / set{ default } recoveryenabled No’ and ‘bcdedit / set{ default } bootstatuspolicy IgnoreAllFailures’).
- [T1562.001] Disable or Modify Security Tools – It stops services and terminates processes belonging to backup, database, and security products to neutralize defenses (‘It stops the following services:’ / ‘It then terminates the following processes:’).
- [T1489] Impact (Service Stop) – The ransomware stops many service processes (e.g., MSSQL, Veeam, BackupExec, WinDefend) to disrupt operations and protect encrypted state (‘It stops the following services:’ followed by extensive service list).
Indicators of Compromise
- [File Hashes] sample SHA256 file hashes for Abyss Locker – 72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462 (v2 Linux), 3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d (v2 Windows), and 13 more hashes.
- [File Names / Extensions] ransom notes and encrypted file extensions – WhatHappened.txt (Windows ransom note), .README_TO_RESTORE (Linux ransom note), encrypted file extensions include .abyss (or random five-letter) and .crypt.
- [Commands / Tools] recovery- and VM-related commands observed – vssadmin.exe delete shadows /all /quiet, wmic SHADOWCOPY DELETE, bcdedit / set{ default } recoveryenabled No, and esxcli vm process kill (soft/hard/force) for ESXi VMs.
FortiGuard Labs’ technical analysis shows Abyss Locker first exfiltrates data, then hardens its hold on the host before encrypting files. On Windows the binary halts a long list of services (database, backup, AV, Exchange, Veeam, Backup Exec, SQL-related services, etc.) and terminates numerous processes including endpoint protection, admin tools, and backup agents. It removes Volume Shadow Copies using ‘vssadmin’ and ‘wmic’ commands and modifies boot configuration with ‘bcdedit’ to disable Automatic Repair and ignore boot failures, then encrypts files (adding ‘.abyss’ or a random five-letter suffix in v1; ‘.abyss’ observed) while skipping a comprehensive list of system, program, and media file types and folders; a ransom note (‘WhatHappened.txt’) is dropped and the desktop wallpaper is replaced with a ransom message.
The Linux variant enumerates and attempts to stop ESXi virtual machines using ‘esxcli vm process list’ and then issues graceful to forceful kill commands (‘esxcli vm process kill -t=soft/hard/force -w=[ID]’) to stop VMs before encrypting host files with a ‘.crypt’ extension and creating ‘.README_TO_RESTORE’ ransom files. Both platforms implement extensive exclusion lists (common system directories and file extensions, VM disks, and backup-related files) to avoid breaking essential system components while still maximizing impact on user data and backups.
Across versions the core procedure remains: collect/steal data, disable recovery and security controls, stop services/processes, encrypt targeted files, leave a ransom note and altered desktop, and provide a TOR-based negotiation site (TOR address varies by version). Detection should focus on the sequence of service stops, AV/process termination, VSS deletion commands, bcdedit modifications, and creation of the specific ransom-note files and encrypted-file extensions.