{
	"id": "76d8e9ac-bc38-4eed-af97-ef0fd521ae12",
	"created_at": "2026-04-06T00:19:17.809718Z",
	"updated_at": "2026-04-10T03:21:29.503348Z",
	"deleted_at": null,
	"sha1_hash": "3e9106a9423d847fb274c1d8a679d9d7cf3735b3",
	"title": "Revealing the Abyss Ransomware | Idan Malihi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37524,
	"plain_text": "Revealing the Abyss Ransomware | Idan Malihi\r\nArchived: 2026-04-05 17:11:14 UTC\r\nDuring Abyss ransomware execution, a new log file may be created, and logs may be written to it.\r\nThe ransomware will destroy the contents of files and then change their extension to .XPbS1.\r\nWhen the ransomware is executed, it attempts to infect any external drives present in the system and creates an\r\nautorun file.\r\nThe ransomware will create two files in the system — a JPG file and a TXT file.\r\nThe Abyss ransomware will attempt to perform lateral movement techniques within the local network by\r\nsearching for SMB shares, external drives, and other accessible resources.\r\nWhen the ransomware creates the ‘work.log’ file, it adds the file to an exclusion list.\r\nThe ransomware loads the effective address of the ‘work.log’ string into the rax register. Then, it moves the rax\r\nregister content to the ‘cs:qword_140033CA0’ memory location, which indicates an exclusions list.\r\nThe ‘cs:qword_140033CA0’ content:\r\nAdditionally, the ransomware loads the effective address of the ‘.XPbS1’ string into the rax register. Then, it\r\nmoves the rax register content to the ‘cs:qword_140033A60’ memory location, which indicates an exclusion list\r\nwith files’ extensions.\r\nThe ‘cs:qword_140033A60’ content:\r\nThe ransomware uses the GetTickCount function to obtain the number of milliseconds since the system started.\r\nThis technique is used to avoid detection in sandboxes or virtual machines. Additionally, the ransomware\r\nestablishes a connection with the Windows Service Control Manager using the OpenSCManagerA function. It\r\nthen goes through a list of service names, which are pointed to off_140009990, and tries to open each service\r\nusing the OpenServiceA function.\r\nThe ransomware uses the CreateToolhelp32Snapshot function to create a snapshot of current processes running on\r\nthe host system. It then compares the list of running processes with an executable names list, which is pointed to\r\nan item named ‘off_140009E90’, using the Process32FirstW and Process32NextW functions. If a match is found,\r\nthe malware uses the OpenProcess function to open and handle the process and the TerminateProcess function to\r\nterminate the process.\r\nThe processes list (off_140009E90):\r\nThen, it sets up a semaphore (hSemaphore) and a handle (hHandle) for thread synchronization. Before the\r\nsynchronization, the ransomware uses the GetSystemInfo function to retrieve information about the system and\r\nhttps://idanmalihi.com/revealing-the-abyss-ransomware/\r\nPage 1 of 3\n\nthe number of processors. Based on the number of processors, the ransomware adjusts the number of threads\r\n(nCount) and initializes several handles for synchronization.\r\nThe subroutine ‘sub_14001A4F0’ uses semaphore thread synchronization and calls the CreateSemaphoreA\r\nfunction.\r\nThe ransomware creates multiple threads using the CreateThread API to execute the ‘sub_14001C870’ subroutine\r\nconcurrently. These threads appear to be assigned tasks related to network shares and paths.\r\nThe ransomware performs network share searches in the ‘sub_14001CB80’ subroutine.\r\nIn the ‘sub_14001CB80’ subroutine code, the ransomware uses the NetShareEnum function to search through the\r\nnetwork shares and disk devices present in the host. The ransomware disregards any hidden administrative shares\r\n(ADMIN$) and records the paths of the detected network shares in the ‘sub_14001A240’ subroutine.\r\nThe ransomware uses several functions to enumerate and determine the type of drives in the system.\r\nIn the ‘sub_14001A740’ subroutine, the ransomware iterates through the predefined drive letters and checks the\r\ndrive type using the GetDriveTypeW function. It enumerates fixed and removable drives on the system. For each\r\ndrive with drive type 1 (DRIVE_FIXED), it attempts to assign a corresponding drive letter to the volume using the\r\nSetVolumeMountPointW function.\r\nAlso, in the ‘sub_14001CD20’ subroutine, the ransomware constructs the drive path in the format \\\\?\\X: where ‘X’\r\nis the drive letter. It uses GetDriveTypeW to determine the type of the drive, whether it’s removable, fixed, or\r\nnetwork.\r\nIf the drive type is 1 (root path), 2 (removable drive), or 3 (fixed drive), it logs information and processes the drive\r\npath further.\r\nAfter the ransomware enumerates network shares and logical drives, it starts the encryption operation. The\r\nransomware uses the FindFirstFileW and FindNextFileW functions to go through every file in every directory and\r\nsub-directory.\r\nThe CreateFileW function is used in a loop to create the WhatHappened.txt file in the file system and write the\r\nransom note content using the WriteFile function.\r\nThe threat actors state that they can restore the files on the file system. They claim their motive is purely financial\r\nand open to negotiation.\r\nThe threat actors offer two options to the victim. The first option is to seek help from authorities, but the threat\r\nactors threaten to cause the company to face fines, legal actions, and reputational damage if they try to help with\r\nthe decryption. The second option is to negotiate with the threat actors, pay the ransom, and receive the\r\ndecryption. Importantly, the victim’s privacy will be maintained, and no one will know about the incident.\r\nThe attackers instruct the company to access a specific URL using the TOR browser to initiate negotiations.\r\nThe BMP content is the ransom note that the ransom spread in the file system earlier.\r\nhttps://idanmalihi.com/revealing-the-abyss-ransomware/\r\nPage 2 of 3\n\nThe ransomware opened the ‘HKEY_CURRENT_USER\\Control Panel\\Desktop’ registry path using the\r\nRegOpenKeyExW function. It edited the ‘WallpaperStyle’ and ‘TileWallpaper’ entries to 0 using the\r\nRegSetValueExW API.\r\nAs a result, the Desktop wallpaper is changed to the ransom note.\r\nYara Rule\r\nDetection\r\nSource: https://idanmalihi.com/revealing-the-abyss-ransomware/\r\nhttps://idanmalihi.com/revealing-the-abyss-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://idanmalihi.com/revealing-the-abyss-ransomware/"
	],
	"report_names": [
		"revealing-the-abyss-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434757,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e9106a9423d847fb274c1d8a679d9d7cf3735b3.pdf",
		"text": "https://archive.orkl.eu/3e9106a9423d847fb274c1d8a679d9d7cf3735b3.txt",
		"img": "https://archive.orkl.eu/3e9106a9423d847fb274c1d8a679d9d7cf3735b3.jpg"
	}
}