Abyss Ransomware Group

Abyss Locker (also known as abyss locker ransomware, abyss locker group, or abysslocker) is a sophisticated double-extortion ransomware operation that first emerged in 2023. It encrypts victim files, exfiltrates sensitive abyss locker data, and threatens to publish abyss locker victims information and abyss locker stolen data on abyss locker dark web leak sites if ransoms are not paid.

The group excels at targeting critical infrastructure, leveraging advanced multi-platform capabilities, including specialized abyss locker ESXi ransomware and abyss locker linux variants to compromise VMware ESXi hypervisors and encrypt virtual environments at scale.

What differentiates Abyss Locker from lower-tier ransomware operations is its deliberate focus on enterprise environments, particularly those relying on virtualization, centralized backups, and perimeter VPN access. This approach maximizes both operational disruption and extortion leve rage.

Executive Summary

Abyss Locker ransomware draws from established hellokitty ransomware, hello kitty trojan, and hellokitty source code lineages, blending mature encryption techniques with aggressive double-extortion strategies. It attacks both Windows and Linux systems, emphasizing abyss locker ESXi intrusions to shut down and encrypt multiple virtual machines simultaneously.

The threat actors employ advanced defense evasion, credential theft, custom tunneling for persistence, and tools like Rclone for data exfiltration to cloud storage. The abyss locker group primarily focuses on U.S.-based organizations in manufacturing, healthcare, and technology sectors, though victims span multiple continents.

While not the most prolific group, its technical sophistication and focus on virtualized environments make it a persistent high-impact threat requiring robust, multi-layered defenses.

Origins and Background

Timeline and Evolution

Abyss Locker appeared on cybersecurity radars in March 2023, though linked activities trace back further. The first public sample was uploaded in July 2023, but overlapping abyss locker data leaks on Breached forums in January 2023 (under alias “infoleak222”) suggest earlier operations predating the public Abyss Ransomware Group site.

This early data-centric activity indicates that data theft and exposure were central to the operation from its inception, with ransomware deployment later formalized as a coercive mechanism rather than the primary objective.

Malware Lineage

Built on Babuk source code, Abyss Locker adopts encryption approaches akin to hellokitty ransomware and hellokitty source code, providing a reliable base for cross-platform development and rapid evolution.

This lineage explains why some Linux samples are still detected under hellokitty trojan signatures and why defenders continue to observe HelloKitty-style indicators in abyss locker ransomware campaigns.

Target Profile and Victimology

Geographic Distribution

The abyss locker group predominantly targets the United States (over 48 documented incidents), with additional victims in Germany, United Kingdom, Sweden, Switzerland, Canada, Italy, Georgia, and Hong Kong. Samples originate from diverse regions including North America, Europe, Asia, and South America.

This distribution suggests financially motivated targeting rather than geopolitically driven campaigns, with emphasis placed on organizations capable of paying ransoms or suffering regulatory consequences from data exposure.

Industry Targeting

Key industries impacted include manufacturing (heavily targeted), healthcare and social assistance, finance and insurance, professional/scientific/technical services, construction, and consumer non-cyclicals.

These sectors share common characteristics: high uptime requirements, complex IT estates, and sensitive data that becomes highly damaging when leaked on abyss locker dark web platforms.

Technical Capabilities and Attack Infrastructure

Multi-Platform Operations

Abyss Locker deploys Windows and Linux payloads, with abyss locker linux and abyss locker ESXi ransomware variants optimized for VMware ESXi hypervisors. These allow attackers to disrupt and encrypt numerous virtual servers in one operation.

From an attacker’s perspective, compromising ESXi hosts provides exponential impact: a single encrypted datastore can disable business-critical applications, identity services, and backups simultaneously.

Ransomware Versions

• Version 1 (Windows): Emerged early January 2024, using random five-letter extensions

• Version 2 (Windows): Late January 2024, with primarily cosmetic changes (updated notes and TOR links)

• Linux versions lack confirmed Version 1 distinctions

The lack of functional differences between versions suggests a stable and mature codebase rather than rapid experimentation.

Attack Methodology and Kill Chain

Initial Access

Entry often occurs via exploited unpatched abyss locker VPN appliances (abyss locker sonicwall vulnerabilities such as CVE-2021-20038) or weak SSH configurations targeted by brute-force attacks.

This access method highlights a key trend: Abyss Locker does not rely on phishing. Instead, it capitalizes on perimeter security failures, allowing attackers to authenticate directly into trusted network segments.

Credential Harvesting

Attackers focus on backup appliances like Veeam, using modified open-source Veeam-Get-Creds.ps1 scripts to extract privileged credentials. They also dump Windows SAM and security registry hives remotely.

Backup systems are particularly valuable targets because they often store credentials with domain-wide or infrastructure-level privileges.

Defense Evasion Tactics

Evasion includes registry-based disabling of Windows Defender, process termination of EDR agents, BYOVD techniques with vulnerable drivers (e.g., UpdateDrv.sys from Zemana, ped.sys from Process Explorer, 3ware.sys), and dedicated AV/EDR killers like SophosAV.exe.

These techniques allow abyss locker ransomware to operate undetected long enough to complete data exfiltration and encryption phases.

Command and Control Infrastructure

Relies extensively on SSH/SOCKS tunneling via Chisel and native SSH binaries deployed on ESXi hosts, VPN appliances, NAS devices, and Windows systems. Custom persistence involves OpenSSH backdoors (e.g., deploy443.ps1 installs “WMI Helper Agent” service as wmihelper.exe).

ESXi and NAS devices are favored because they are stable, always-on systems that provide excellent pivot points for lateral movement.

Lateral Movement

Utilizes PsExec, Impacket tools (SMBExec, ATExec), and harvested credentials for network traversal. Movement is typically deliberate and low-noise, targeting infrastructure systems rather than end-user workstations.

Data Exfiltration

Employs renamed Rclone (often as ltsvc.exe) to selectively upload abyss locker data to AWS S3 and BackBlaze, using filters for targeted file extensions.

This selective approach ensures that only high-value data becomes abyss locker stolen data, increasing extortion leverage while minimizing transfer volume.

Encryption Process and File Impact

Windows Encryption Operations

Terminates services (e.g., MSSQLServer, WinDefend, Veeam services, Exchange), kills processes (Office apps, databases, AV/EDR), deletes shadow copies, alters boot policies, encrypts files with .abyss (v2) or random extensions (v1) using ChaCha20/Salsa20, drops WhatHappened.txt, and replaces wallpaper.

This image shows the WhatHappened.txt ransom note delivered during Windows encryption. The language emphasizes data theft, confidentiality promises, and reputational damage  reinforcing the group’s double-extortion strategy.

Excludes system files, media, fonts, and directories like Windows, Program Files, browsers, and $Recycle.Bin to maintain system operability for ransom negotiations.

Linux/ESXi Encryption Operations

Uses esxcli to list and shut down VMs (soft → hard → force kill), encrypts files with .crypt extension, drops .README_TO_RESTORE notes. Excludes critical paths (/boot, /dev, /etc) and extensions (.vmdk, .crypt, .so).

This controlled shutdown and exclusion behavior demonstrates operational maturity and intent to preserve host stability.

Operational Infrastructure

Data Leak Site and Extortion

As a double-extortion operation, Abyss Locker operates infrastructure for both ransom negotiation and data exposure. “Currently, the Abyss Locker ransomware threat actor does not appear to have a TOR site that exposes the victim’s name and allows others to view the stolen data, although BleepingComputer previously reported such a leak site in mid-2023. However, the threat actor does offer a ransom negotiation site on TOR”.

Many major SOC companies confirms the existence of a “TOR-based website where victims are listed along with their exfiltrated data should they fail to comply with the demands of the threat actor”

This image represents an Abyss Locker dark web leak portal advertising “free data,” a psychological tactic designed to amplify reputational harm and pressure negotiations.

Indicators of Compromise (IOCs)

File Hashes

• Abyss Locker v2 (Linux): 72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462

• Abyss Locker v2 (Windows): 3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6d

• Abyss Locker v1 (Windows): multiple documented samples

C2 Infrastructure

Example: 64.95.12[.]57:443

File Artifacts

• Ransom notes: WhatHappened.txt, .README_TO_RESTORE

• Encrypted extensions: .abyss, random 5-letter, .crypt

• Log file: work.log

Leaked Data Analysis

Nature of Exposed Data

This directory listing illustrates the scope of abyss locker leaked data, including contracts, VPN configurations, invoices, certifications, and client records.

Exposed data commonly includes:

• PII and financial records

• Legal agreements and leases

• Network diagrams and VPN credentials

• Client and partner information

Leaked Data Analysis from Abyss Locker Victim

The attached directory listing represents a partial view of abyss locker data exfiltrated and leaked by the abyss locker group as part of their double-extortion operation. This abyss locker leak contains a mix of historical archives, business documents, financial records, and highly sensitive network configuration files from what appears to be a small-to-medium technology consulting or managed service provider (likely "Technology Consulting Inc." based on multiple lease agreement files). The data spans over 15 years and totals several gigabytes, focusing on archived customer records and current infrastructure details that would be valuable for further attacks or resale on the abyss locker dark web.

Historical and Archival Data

The leak includes large compressed archives such as 2005-2006-CDR.zip through 2015-CDR.zip (with sizes ranging from 9.6 MB to 278 MB) and additional 2016-CDR.zip and 2017-CDR.zip. These "CDR" files likely contain Call Detail Records, Customer Data Records, or Client Data Repositories, representing long-term client information from as early as 2005. Also present are older cdr_2009.rar and cdr_2010.rar files. Such historical datasets often include PII, contact details, or business transaction logs, making them attractive for identity theft, fraud, or targeted social engineering. A November 29 2015.xls spreadsheet and files like 4seasons chinese restaurant.pdf and ACTIVE Access Cards.xlsx further suggest the victim maintained records of clients, vendors, and internal access management.

Business and Financial Documents

Recent operational files include multiple TECHNOLOGY CONSULTING INC. Lease Agreement PDFs dated between September and November 2022 (e.g., 09.15.2022, 10.19.2022 updated, 10.27.2022, 11.10.2022), indicating the company was actively managing office leases. Financial and procurement documents comprise Canada Invoice, 1CCMK15 – New Office Firewall.pdf, MT25292 – New Office Firewall.pdf, backup quotes for "ASCA" (both PDF and XLS), and CDW-related invoices. Certification and training files such as Amazon Certifications, Ingram Micro Illuminate Program.pdf, and CCC Termination Checklist.xlsx reveal partnerships with major vendors and internal HR processes. These documents expose the victim’s corporate structure, financial health, vendor relationships, and physical office details  all useful for business espionage or spear-phishing campaigns.

Critical Infrastructure and Network Configurations

The most damaging portion of this abyss locker stolen data lies in the BridgePoint → Network folder. It contains:

• Firewall VPN settings.docx (342 KB)

• vpn-bed51f89.txt (13 KB)  likely a specific VPN configuration or credential file

• VPN parameters dictated by AWS.docx (176 KB)

• BP office settings and a screenshot of network equipment

Additional technical files include Veeam 1 yr.pdf, Veeam 3 yr.pdf, VMware.pdf, R8000_UM_EN.pdf (Netgear router manual), and home router references. These files directly expose the victim’s remote access infrastructure, firewall rules, AWS VPN setups, and backup/virtualization environments. Given Abyss Locker’s known targeting of abyss locker ESXi, abyss locker linux, and abyss locker vpn (including SonicWall), the presence of detailed VPN and backup configurations is particularly alarming. Threat actors or buyers on the dark web could use this information to launch follow-on attacks, pivot into the network, or sell access to other ransomware groups.

Overall Risk Assessment

This abyss locker leak demonstrates a classic double-extortion strategy: the abyss locker victims not only face encrypted systems but also the public exposure of sensitive historical client data, financial contracts, and exploitable network blueprints. The data suggests a Canadian-based IT services firm that supports clients with networking, backups (Veeam), virtualization (VMware), and cloud (AWS) solutions  ironically, the same technologies Abyss Locker ransomware frequently targets. The age of the archives (2005–2017) combined with 2022 lease and configuration files indicates poor data hygiene and long-term retention of potentially regulated information.

For the victim, consequences include regulatory violations (if PII or client data is involved), reputational damage, and elevated risk of secondary breaches using the leaked VPN/firewall details. For defenders, this sample highlights why abyss locker group prioritizes exfiltration of configuration files and archives before encryption. Organizations should treat such leaks as high-severity incidents and immediately rotate all VPN credentials, review firewall rules, and audit any exposed vendor relationships.

The accompanying WhatHappened.txt ransom note in the second image is the standard Abyss Locker message, confirming this data was stolen and encrypted by the group and offering decryption in exchange for payment.

Incident Response and Recovery

Immediate Response Actions

Isolate infected systems immediately, eradicate malware, and restore from clean backups after wiping affected machines. Validate dark web exposure as a parallel workstream.

Ransom Payment Considerations

Avoid payment. There is no guarantee of recovery, and payments sustain criminal operations and future targeting.

Post-Incident Hardening

Address root causes by patching vulnerabilities, enhancing access controls, strengthening monitoring, and improving backup isolation.

Threat Outlook and Conclusions

As of February 2026, abyss locker ransomware remains a recognized threat, particularly for organizations operating VMware ESXi environments. Its heritage from abyss locker hellokitty, combined with abyss locker linux, abyss locker ESXi, and abyss locker vpn exploitation, ensures continued relevance.

Organizations must prioritize vulnerability management, network segmentation, immutable backups, continuous monitoring, and incident readiness to mitigate risks from this and evolving ransomware actors.