Ransomware Roundup – Abyss Locker | FortiGuard Labs
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Abyss Locker (AbyssLocker) ransomware.
Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows and Linux Users
Impact: Steals and encrypts victims’ files and demands ransom for file decryption and not releasing the stolen data.
Severity level: High
Abyss Locker Ransomware Overview
Although the first Abyss Locker sample was submitted to a publicly available file scanning service in July of 2023, the first variant of the ransomware may date back further as the ransomware is based on the HelloKitty ransomware source code. A version 1 variant of the Abyss Locker ransomware targeting Windows systems was discovered in early January 2024, followed by version 2 for Windows later that month. (We were unable to locate version 1 for Linux.) We review both the Linux and Windows variants in this week’s roundup.
The Abyss Locker threat actor steals victims’ data before deploying and running its ransomware malware for file encryption. The ransomware is also capable of deleting Volume Shadow Copies and system backups.
Infection Vector
Information on the infection vector used by the Abyss Locker ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.
Victimology
The Abyss Locker ransomware samples were submitted to a publicly available file scanning service from a variety of regions, including Europe, North America, South America, and Asia.
Attack Method
Windows Version
The Windows version of the Abyss Locker ransomware version 1 performs the following actions:
It stops the following services:
MSSQLServerADHelper100 |
MSSQL$ISARS |
MSSQL$MSFW |
SQLAgent$ISARS |
SQLAgent$MSFW |
SQLBrowser |
ReportServer$ISARS |
SQLWriter |
WinDefend |
mr2kserv |
MSExchangeADTopology |
MSExchangeFBA |
MSExchangeIS |
MSExchangeSA |
ShadowProtectSvc |
SPAdminV4 |
SPTimerV4 |
SPTraceV4 |
SPUserCodeV4 |
SPWriterV4 |
SPSearch4 |
IISADMIN |
firebirdguardiandefaultinstance |
ibmiasrw |
QBCFMonitorService |
QBVSS |
QBPOSDBServiceV12 |
IBM Domino Server (CProgramFilesIBMDominodata) |
IBM Domino Diagnostics (CProgramFilesIBMDomino) |
Simply Accounting Database Connection Manager |
QuickBooksDB1 |
QuickBooksDB2 |
QuickBooksDB3 |
QuickBooksDB4 |
QuickBooksDB5wrapper |
DefWatch |
ccEvtMgr |
ccSetMgr |
SavRoam |
Sqlservr |
sqlagent |
sqladhlp |
Culserver |
RTVscan |
sqlbrowser |
SQLADHLP |
QBIDPService |
Intuit.QuickBooks.FCS |
msmdsrv |
tomcat6 |
zhudongfangyu |
vmware – usbarbitator64 |
vmware – converter |
dbsrv12 |
dbeng8 |
MSSQL$MICROSOFT##WID |
MSSQL$VEEAMSQL2012 |
SQLAgent$VEEAMSQL2012 |
FishbowlMySQ |
MySQL57 |
MSSQL$KAV_CS_ADMIN_KIT |
SQLAgent$KAV_CS_ADMIN_KIT |
msftesql – Exchange |
MSSQL$MICROSOFT##SSEE |
MSSQL$SBSMONITORING |
MSSQL$SHAREPOINT |
MSSQLFDLauncher$SBSMONITORING |
MSSQLFDLauncher$SHAREPOINT |
SQLAgent$SBSMONITORING |
SQLAgent$SHAREPOINT |
QBFCService |
YooBackup |
YooIT |
svc$ |
MSSQL |
MSSQL$ |
memtas |
mepocs |
sophos |
veeam |
backup |
bedbg |
PDVFSService |
BackupExecVSSProvider |
BackupExecAgentAccelerator |
BackupExecAgentBrowser |
BackupExecDiveciMediaService |
BackupExecJobEngine |
BackupExecManagementService |
BackupExecRPCService |
MVArmor |
MVarmor64 |
stc_raw_agent |
VSNAPVSS |
VeeamTransportSvc |
VeeamDeploymentService |
VeeamNFSSvc |
AcronisAgent |
ARSM |
AcrSch2Svc |
CASAD2DWebSvc |
CAARCUpdateSvc |
WSBExchange |
MSExchange |
MSExchange$ |
GxVss |
GxBlr |
GxFWD |
GxCVD |
GxCIMgr |
It then terminates the following processes:
360doctor.exe |
360se.exe |
ADExplorer.exe |
ADExplorer64.exe |
ADExplorer64a.exe |
Adobe CEF.exe |
Adobe Desktop Service.exe |
AdobeCollabSync.exe |
AdobeIPCBroker.exe |
AutodeskDesktopApp.exe |
Autoruns.exe |
Autoruns64.exe |
Autoruns64a.exe |
Autorunsc.exe |
Autorunsc64.exe |
Autorunsc64a.exe |
AvastUI.exe |
BrCcUxSys.exe |
BrCtrlCntr.exe |
CNTAoSMgr.exe |
CagService.exe |
CoreSync.exe |
Creative Cloud.exe |
Culture.exe |
Defwatch.exe |
DellSystemDetect.exe |
EnterpriseClient.exe |
GDscan.exe |
GWCtlSrv.exe |
GlassWire.exe |
Helper.exe |
InputPersonalization.exe |
MsDtSrvr.exe |
MsDtsSrvr.exe |
MsMpEng.exe |
ONENOTEM.exe |
PccNTMon.exe |
ProcessHacker.exe |
Procexp.exe |
Procexp64.exe |
QBDBMgr.exe |
QBDBMgrN.exe |
QBIDPService.exe |
QBW32.exe |
RAgui.exe |
RTVscan.exe |
Raccine.exe |
RaccineElevatedCfg.exe |
RaccineSettings.exe |
Raccine_x86.exe |
RdrCEF.exe |
ReportingServicesService.exe |
SQLAGENT.EXE |
Simply.SystemTrayIcon.exe |
SimplyConnectionManager.exe |
Sqlservr.exe, Ssms.exe |
Sysmon.exe |
Sysmon64.exe |
SystemExplorer.exe |
SystemExplorerService.exe |
SystemExplorerService64.exe |
TMBMSRV.exe |
TeamViewer.exe |
TeamViewer_Service.exe |
TitanV, Ssms.exe |
TmCCSF.exe |
TmListen.exe |
TmPfw.exe |
TmProxy.exe |
Totalcmd.exe |
Totalcmd64.exe |
VeeamDeploymentSvc.exe |
WRSA.exe |
WireShark.exe |
ZhuDongFangYu.exe |
acwebbrowser.exe |
agntsvc.exe |
avp.exe |
avz.exe |
axlbridge.exe |
bedbh.exe |
benetns.exe |
bengien.exe |
beserver.exe |
dbeng50.exe |
dbsnmp.exe |
dumpcap.exe |
egui.exe |
encsvc.exe |
excel.exe |
fbguard.exe |
fbserver.exe |
fdhost.exe |
fdlauncher.exe |
firefox.exe |
httpd.exe |
infopath.exe |
isqlplussvc.exe |
j0gnjko1.exe |
java.exe |
msaccess.exe |
msftesql.exe |
msmdsrv.exe |
mspub.exe |
mydesktopqos.exe |
mydesktopservice.exe |
mysqld.exe |
node.exe |
notepad++.exe |
notepad.exe |
ntrtscan.exe |
ocautoupds.exe |
ocomm.exe |
ocssd.exe |
onenote.exe |
oracle.exe |
outlook.exe |
pg_ctl.exe |
postgres.exe |
powerpnt.exe |
procexp64a.exe |
mon.exe |
proc, procmon64.exe |
procmon64a.exe |
pvlsvr.exe |
qbupdate.exe |
raw_agent_svc.exe |
sam.exe |
sqbcoreservice.exe |
sql.exe |
sqlbrowser.exe |
sqlceip.exe |
sqlmangr.exe |
sqlservr.exe |
sqlwriter.exe |
steam.exe |
supervise.exe |
synctime.exe |
tbirdconfig.exe |
tcpview.exe |
tcpview64.exe |
tcpview64a.exe |
tdsskiller.exe |
thebat.exe |
thunderbird.exe |
tomcat6.exe |
tv_w32.exe |
tv_x64.exe |
visio.exe |
vsnapvss.exe |
vxmon.exe |
wdswfsafe.exe |
winword.exe |
wordpad.exe |
wsa_service.exe |
wxServer.exe |
wxServerView.exe |
xfssvccon.exe |
The ransomware uses the following commands to delete Volume Shadow Copies:
- vssadmin.exe delete shadows /all /quiet
- wmic SHADOWCOPY DELETE
It runs the following commands to set the boot status policy:
- bcdedit / set{ default } recoveryenabled No
(Disable Automatic Repair) - bcdedit / set{ default } bootstatuspolicy IgnoreAllFailures
(Ignore all boot failures and start Windows normally)
The Abyss Locker ransomware encrypts files on compromised machines and adds a “.abyss” extension to the encrypted files. The Abyss Locker version 1 variant for Windows adds a random five-letter extension instead of “.abyss.”
The ransomware drops a ransom note labeled “WhatHappened.txt.”
The TOR site used for ransom negotiations was not accessible at the time of our investigation.
It then replaces the desktop wallpaper with its own, which contains a ransom message:
However, the following file encryption exception applies to the Abyss Locker ransomware:
It skips encrypting files with the following extensions:
.Abyss |
.386 |
.cmd |
.ani |
.adv |
.msi |
.msp |
.com |
.nls |
.ocx |
.mpa |
.cpl |
.mod |
.hta |
.prf |
.rtp |
.rpd |
.bin |
.hlp |
.shs |
.drv |
.wpx |
.bat |
.rom |
.msc |
.spl |
.msu |
.ics |
.key |
.exe |
.dllv |
.lnk |
.icov |
.sys |
.cur |
.idx |
.ini |
.reg |
.mp3 |
.mp4 |
.apk |
.ttf |
.otf |
.fon |
.fnt |
.dmp |
.tmp |
.pif |
.wav |
.wma |
.dmg |
.iso |
.app |
.ipa |
.xex |
.wad |
.icns |
.lock |
.theme |
.diagcfg |
.blf |
.diagcab |
.diagpkg |
.msstyles |
.gadget |
.woff |
.part |
.sfcache |
.winmd |
It also skips encrypting the following files:
work.log |
autorun.inf |
boot.ini |
bootfont.bin |
bootsect.bak |
bootmgr |
bootmgr.efi |
bootmgfw.efi |
desktop.ini |
iconcache.db |
ntldr |
ntuser |
dat |
ntuser.dat.log |
ntuser.ini |
thumbs.db |
!CryptoLockerDetectionDONT-DELETE!.jpg |
WhatHappened.txt |
In addition, it avoids encrypting files in the following folders:
Boot |
Windows |
Windows.old |
$Windows.~bt |
$windows.~ws |
windows nt |
msbuild |
microsoft |
perflog |
Microsoft – Cloud |
Computers |
Apps & Gaming |
microsoft shared |
common files |
windows defender |
windowspowershell |
windows security |
usoshared |
windowsapp |
windows journal |
windows photo viewer |
$Recycle.Bin |
All Users |
Program Files |
Program Files (x86) |
system volume information |
msocache |
Tor Browser |
Internet Explorer |
|
Opera |
Opera Software |
Mozilla |
Mozilla Firefox |
#recycle |
Our analysis of Abyss Locker ransomware version 2, which appeared in late January 2024, found no differences from version 1 in terms of functionality. The only differences we could find are the ransom message (including the message on the replaced wallpaper), which clearly states that it’s version 2, and the TOR address used for ransom negotiation.
The TOR site used by this version of Abyss Locker ransomware for ransom negotiation was still accessible at the time of our investigation.
Linux Version
This ransomware variant runs the following run commands:
- esxcli vm process list
– (get list of running VMs) - esxcli vm process kill -t=soft -w=[ID of VM]
– (try to kill VMs gracefully) - esxcli vm process kill -t=hard -w=[ID of VM]
– (if the previous command fails, try to immediately shutdown the VMs) - esxcli vm process kill -t=force -w=[ID of VM]
– (if the previous command fails,forcefully kill the VMs as a last resort)
The ransomware then encrypts files on the compromised machines and adds a “.crypt” extension to the encrypted files.
It then creates files with a “.README_TO_RESTORE” extension, which is a ransom note.
It avoids encrypting files in the following directories:
/boot |
/dev |
/etc |
/lost+found |
/proc |
/run |
/usr/bin |
/usr/include |
/usr/lib |
/usr/lib32 |
/usr/lib64 |
/usr/sbin |
/sys |
/usr/libexec |
/usr/share |
/var/lib |
It also avoids encrypting files with the following extensions:
.vmdk |
.vmsd |
.vmsn |
.crypt |
.README_TO_RESTORE |
.tmp |
.a |
.so |
.la |
Data Leak Site
Currently, the Abyss Locker ransomware threat actor does not appear to have a TOR site that exposes the victim’s name and allows others to view the stolen data, although BleepingComputer previously reported such a leak site in mid-2023. However, the threat actor does offer a ransom negotiation site on TOR.
The ransom is set low for businesses and high for consumers ($282,380 in this case), making it difficult to determine who is being targeted.
Fortinet Protections
The Abyss Locker ransomware described in this report are detected and blocked by FortiGuard Antivirus as:
- W64/Rook.B!tr.ransom
- W64/Filecoder_Rook.B!tr
- W64/Filecoder_Rook.B!tr.ransom
- Linux/Filecoder_HelloKitty.A!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
IOCs
Abyss Locker Ransomware File IOCs
SHA2 |
Note |
72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462 |
Abyss Locker v2 (Linux) |
3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d |
Abyss Locker v2 (Windows) |
9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc |
Abyss Locker v1 (Windows) |
0763e887924f6c7afad58e7675ecfe34ab615f4bd8f569759b1c33f0b6d08c64 |
Abyss Locker v1 (Windows) |
dee2af08e1f5bb89e7bad79fae5c39c71ff089083d65da1c03c7a4c051fabae0 |
Abyss Locker v1 (Windows) |
e6537d30d66727c5a306dc291f02ceb9d2b48bffe89dd5eff7aa2d22e28b6d7c |
Abyss Locker v1 (Windows) |
1d04d9a8eeed0e1371afed06dcc7300c7b8ca341fe2d4d777191a26dabac3596 |
Abyss Locker v1 (Windows) |
1a31b8e23ccc7933c442d88523210c89cebd2c199d9ebb88b3d16eacbefe4120 |
Abyss Locker v1 (Windows) |
25ce2fec4cd164a93dee5d00ab547ebe47a4b713cced567ab9aca4a7080afcb7 |
Abyss Locker v1 (Windows) |
b524773160f3cb3bfb96e7704ef31a986a179395d40a578edce8257862cafe5f |
Abyss Locker v1 (Windows) |
362a16c5e86f13700bdf2d58f6c0ab26e289b6a5c10ad2769f3412ec0b2da711 |
Abyss Locker v1 (Windows) |
e5417c7a24aa6f952170e9dfcfdf044c2a7259a03a7683c3ddb72512ad0cd5c7 |
Abyss Locker v1 (Windows) |
056220ff4204783d8cc8e596b3fc463a2e6b130db08ec923f17c9a78aa2032da |
Abyss Locker v1 (Windows) |
877c8a1c391e21727b2cdb2f87c7b0b37fb7be1d8dd2d941f5c20b30eb65ee97 |
Abyss Locker v1 (Windows) |
2e42b9ded573e97c095e45dad0bdd2a2d6a0a99e4f7242695054217e2bba6829 |
Abyss Locker v1 (Windows) |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.
Best Practices Include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.