Abyss Locker Ransomware Targets VMWare ESXi Servers

Abyss Locker, a new ransomware operation, has joined the growing list of threat actors developing Linux encryptors to target the popular VMware’s ESXi virtual machines platform. This latest trend poses a significant risk as organizations continue to adopt virtual machines for better resource management, performance, and disaster recovery.

Abyss Locker targets and breaches Virtual Machine infrastructures, steals data for double extortion, and encrypts and locks devices. Its operators then leverage the stolen data by threatening to leak files if a ransom is not paid. Abyss Locker is believed to have launched in March 2023, with fourteen victims listed on its dark web data leak site, ‘Abyss-data.’ The threat actors claim to have stolen from 35 GB of data to 700 GB from various organizations and agencies they have compromised.

The ransomware operation’s Tactics, Techniques, and Procedures (TTPs) include using a Linux ELF encryptor targeting VMware ESXi servers. The encryptor terminates all virtual machines, allowing associated virtual disks, snapshots, and metadata to be encrypted and locked up after the data has been stolen. In addition to targeting virtual machines, the ransomware encrypts all other files on other compromised devices.

Abyss Locker is a standalone threat, although there are similarities in its encryption technique to the HelloKitty ransomware, raising questions about possible links or affiliations. With VMware ESXi being one of the most popular virtual machine platforms, almost every ransomware gang has begun to release Linux encryptors to encrypt all virtual servers.

The consequences of this change are significant. As a result of these attacks, organizations that depend on VMware’s ESXi platform could experience substantial operational issues, financial loss, and reputational damage.

Acreto Solution

• Acreto offers comprehensive protection against threats like Abyss Locker by quickly isolating application access to only users, devices, systems and applications that need to interoperate.

• Acreto does this with the use of Ecosystems that provide a dedicated security infrastructure per application, use-case, project, or third-party.

• Ecosystems can be configured as open, closed, or hybrid, providing flexibility depending on the specific needs and risk profiles of the organization. The solution supports various technologies including devices, offices, Internet-of-Things (IoT), and third-party applications.

• Acreto’s ability to isolate individual or groups of systems on a shared network or entire networks can help limit the ransomware’s reach and propagation. The micro-segmentation and nano-segmentation features ensure that only systems that need to interoperate together have access to each other, reducing the potential attack surface.

• Acreto’s encrypted secure scan capabilities decrypt, scan, and re-encrypt communications inline and in real-time, blocking any malicious content embedded in the encrypted payload.

• Acreto offers a variety of controls, from access controls that use identity with multi-factor authentication (MFA) to content controls that manage communication based on content categories. It also controls the upload and download of sensitive data, preventing potential data leaks.

• Threat prevention capabilities are key in mitigating threats like Abyss Locker. Using threat signatures and zero-day behavioral analysis, Acreto identifies and mitigates known exploits, malware, botnets, and ransomware.

Ecosystems

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Assets Acreto Secures

Access Technologies

1. Devices
   1. Computers (Org Owned or BYOD)
   2. Mobile Phones / Tablets (Org Owned or BYOD)
2. Offices
   1. Headquarters
   2. Branches
   3. Small Office / Home Offices
3. Internet-of-Things (IoT)
   1. ATMs
   2. HVAC
   3. Elevator Controls
   4. Fire Safety Alarms
   5. Smart TVs
   6. Many more…
4. Third Parties
   1. Offices
   2. Devices
   3. Remote Users

Application Delivery Technologies

1. Data Centers
   1. Networks
   2. Servers
   3. Virtual Machines
   4. Containers
2. Clouds
   1. Cloud Instances
   2. Cloud VPCs / Cloud Networks
3. SaaS / Third Party Applications

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with:

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
• Isolated Data Flows Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

Access Control

Identity with MFA

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Content

Content Category

Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.

File Type Upload / Download Controls

Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.

Data Leak Prevention

Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:

• Credit Cards Upload / Download Controls
• Social Security Number Upload / Download Controls
• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Threat Signature

Identifies and mitigates known bad exploits, malware, botnets and ransomware.

Zero-Day Behavioral Analysis

Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.

Event Tracking & Management

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• Abyss Locker ransomware targets VMware’s ESXi virtual machines platform, commonly used by enterprises. As enterprises shift from individual servers to virtual machines, ransomware gangs are focusing on these platforms.

• Abyss Locker is a relatively new operation, believed to have launched in March 2023. It targets companies in its attacks, breaching corporate networks, stealing data for double-extortion, and encrypting devices on the network.

• After breaching the network, the Abyss Locker threat actors steal data and use it as leverage, threatening to leak files if a ransom is not paid. To leak stolen files, the actors have created a Tor data leak site named ‘Abyss-data’.

• Abyss Locker targets VMware ESXi servers using a Linux ELF encryptor. It uses the ‘esxcli’ command-line VMware ESXi management tool to first list all available virtual machines and then terminates them.

• The ransomware uses the ‘vm process kill’ command to shut down virtual machines using one of the soft, hard, or forced options to allow the associated virtual disks, snapshots, and metadata to be properly encrypted.

• It encrypts all files with the .vmdk (virtual disks), .vmsd (metadata), and .vmsn (snapshots) extensions. Apart from targeting virtual machines, the ransomware also encrypts all other files on the device and appends the. crypt extension to their filenames.

• For each file encrypted, the encryptor creates a file with a .README_TO_RESTORE extension, which acts as the ransom note. This note contains information on what happened to the files and a unique link to the threat actor’s Tor negotiation site.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.