Abyss Ransomware, first identified in 2023, is a sophisticated ransomware strain targeting both Windows and Linux systems, with a specific focus on VMware ESXi environments. It employs advanced encryption techniques, multi-extortion tactics, and strategic network infiltration to disrupt operations across various sectors, including finance, healthcare, and technology.
Key Characteristics:
Target Platforms: Windows, Linux (particularly VMware ESXi)
Encryption: Utilizes the Salsa20 encryption algorithm; appends .abyss or .crypt extensions.
Initial Access Vectors: Phishing emails, weak SSH configurations, and exploiting known vulnerabilities in exposed servers.
Multi-Extortion Tactics: Encrypts files and exfiltrates data, threatening public exposure on a TOR-based leak site if ransom demands are not met.
Windows Variant:
Service Termination: Disables critical services (e.g., MSSQL, Exchange) to ensure encryption success.
Persistence: Alters boot configuration to disable recovery options.
File Encryption: Employs Salsa20; ransom note WhatHappened.txt is dropped in each directory.
Obfuscation: Written in C++, using techniques to evade detection and hinder forensic analysis.
Linux Variant:
VMware ESXi Targeting: Leverages esxcli to manage and shut down virtual machines for encryption.
Selective Encryption: Avoids critical system directories to maintain partial system functionality.
Persistence: Establishes daemon processes to ensure the ransomware remains active post-reboot.