Abyss Locker Ransomware Attack Chain Revealed with Windows, ESXi, and NAS Devices Compromised

Abyss Locker, a ransomware group active since 2023, has been observed executing targeted intrusions across multiple platforms, including Windows, ESXi, VPN appliances, and network-attached storage (NAS) devices. Findings detailing the tactics, techniques, and procedures (TTPs) of the ransomware gang were reported by Sygnia, identifying how the group gains initial access, moves laterally, and deploys ransomware payloads. Sygnia’s analysis provides insights into the group’s attack patterns, demonstrating their use of tunneling utilities, credential theft, and anti-detection techniques to evade security measures and maintain persistence in compromised networks.

A review of an incident initiated by the Abyss ransomware gang began with the exploitation of a SonicWall VPN appliance vulnerable to a buffer overflow vulnerability—CVE-2021-20038—to gain initial access. Once inside, their primary objective appeared to be targeting backup appliances, such as Veeam systems. Sygnia identified the use of a PowerShell script with "significant code similarities with ‘Veeam-Get-Creds.ps1’," an open-source credential recovery tool hosted on GitHub for Veeam backup solutions. The attackers were seen deploying both an obfuscated version and a variant named 'veeam11.ps1' to retrieve authentication credentials. In addition to PowerShell-based credential harvesting, the attackers also resorted to dumping Windows Security Account Manager (SAM) and Security registry hives to prepare for lateral movement.

To evade detection, Abyss Locker focuses on impairing security monitoring and renaming their executables. Observed examples include disabling Windows Defender by modifying the 'DisableAntiSpyware' registry key and using Task Manager to terminate security services running on the host system. They also leverage the 'Bring Your Own Vulnerable Driver' (BYOVD) technique, utilizing signed but exploitable drivers such as 'UpdateDrv.sys' from Zemana Anti-Logger to disable endpoint protection. At various stages of the intrusion, the threat actors demonstrated continuous efforts to evade detection by renaming payloads, such as Chisel and Rclone. Another prominent technique used by Abyss operators for command-and-control (C2) is the use of tunnels, prominently leveraging Chisel, SSH, and SOCKS proxies. The attackers deploy Chisel on NAS devices, renaming it to 'apache2' and moving it from '/tmp' to '/bin' to disguise its presence. Sygnia also found the creation of a new user account named 'support' to facilitate continued access.

Post-exploitation activity on NAS devices includes clearing forensic artifacts using 'rm /var/tmp/.bash_history' to remove traces of their operations. On Windows hosts, they establish SSH backdoors by deploying OpenSSH-based tunneling tools configured as a persistent service under the name 'WMI Helper Agent.' These backdoors are configured via PowerShell scripts, such as 'deploy443.ps1,' which define connection parameters and C2 endpoints. For lateral movement, Abyss relies on PsExec and Impacket’s SMBExec and ATExec scripts to execute commands remotely. For data exfiltration, Abyss Locker utilizes 'Rclone' for data transfers. The executable was dropped on the host under the name 'ltsvc.exe,' with a review of its help documentation "showing identical content to that of Rclone."

Once exfiltration activities are complete, Abyss Locker proceeds with the ransomware encryption phase. Files on Windows hosts are appended with the '.Abyss' extension, while ESXi environments see files encrypted with the '.crypt' extension. The attackers drop a ransom note titled 'WhatHappened.txt' and attempt to delete volume shadow copies to prevent data recovery.