Malware

Now Abyss Locker also targets VMware ESXi servers

A Linux variant of the Abyss Locker designed to target VMware ESXi servers appeared in the threat landscape, experts warn.

The operators behind the Abyss Locker developed a Linux variant that targets VMware ESXi servers expanding their potential targets.

VMware ESXi servers are privileged targets of ransomware groups and are often part of enterprises’ infrastructures.

The Abyss Locker operation was launched early this year, like other ransomware groups, its operators implement a double-extortion model. At the time of this writing, the Tor leak site managed by the Abyss group lists 14 victim organizations.

Bleeping Computer reported that the researcher MalwareHunterTeam first discovered a Linux ELF encryptor for the Abyss ransomware that was designed to target VMware ESXi servers. Cybersecurity experts Michael Gillespie told BleepingComputer that the Abyss Locker Linux encryptor is based on the Hello Kitty ransomware.

The analysis of the encryptor code revealed that use of the ‘esxcli’ command-line VMware ESXi management tool enumerate virtual machines and terminate them.

Once the VM has been terminated, the malicious code can encrypt virtual disks (.vmdk), metadata (.vmsd), and snapshots (.vmsn).

The Abyss encryptor appends the .crypt extension to the filenames of the encrypted files and for each file creates a file with a .README_TO_RESTORE extension, which is the ransom note that contains the instructions for the negotiations.

Abyss Locker is the last operation in order of time that developed an encryptor to target VMware ESXi servers, other ransomware groups using Linux encryptors are AvosLockerBlack Basta, BlackMatterHelloKitty, LockBit, LunaRansomEXX, REvil, and Royal.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Abyss)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups

US and allies warn of Russian APT groups targeting routers and network devices to compromise…

4 hours ago

Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems

LegacyHive PoC exposes a Windows Privilege Escalation flaw affecting fully patched Windows desktop and server…

6 hours ago

AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads

AsyncAPI npm packages with 2M weekly downloads were compromised, spreading malware with info-stealing, crypto-theft and…

11 hours ago

U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall and Microsoft flaws to its Known…

12 hours ago

SonicWall warns of active exploitation of two SMA 1000 zero-days

SonicWall warns of active attacks exploiting two SMA 1000 zero-days, including a flaw enabling arbitrary…

15 hours ago

Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month

Patch Tuesday: Microsoft fixes a record 621 CVEs, including 2 exploited zero-days and critical flaws…

1 day ago

This website uses cookies.