{ "id": "d798e0fe-199c-4f71-8b15-50e11b4be47e", "created_at": "2026-04-06T00:22:02.036716Z", "updated_at": "2026-04-10T13:11:41.53764Z", "deleted_at": null, "sha1_hash": "47786b22c45c340d6eee2b8b4230c10a0d93ff1b", "title": "Linux version of Abyss Locker ransomware targets VMware ESXi servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3921354, "plain_text": "Linux version of Abyss Locker ransomware targets VMware ESXi\r\nservers\r\nBy Lawrence Abrams\r\nPublished: 2023-07-29 ยท Archived: 2026-04-05 21:43:20 UTC\r\nThe Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in\r\nattacks on the enterprise.\r\nAs the enterprise shifts from individual servers to virtual machines for better resource management, performance, and\r\ndisaster recovery, ransomware gangs create encryptors focused on targeting the platform.\r\nWith VMware ESXi being one of the most popular virtual machine platforms, almost every ransomware gang has begun to\r\nrelease Linux encryptors to encrypt all virtual servers on a device.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nOther ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include Akira,\r\nRoyal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.\r\nThe Abyss Locker\r\nAbyss Locker is a relatively new ransomware operation that is believed to have launched in March 2023, when it began to\r\ntarget companies in attacks.\r\nLike other ransomware operations, the Abyss Locker threat actors will breach corporate networks, steal data for double-extortion, and encrypt devices on the network.\r\nThe stolen data is then used as leverage by threatening to leak files if a ransom is not paid. To leak the stolen files, the threat\r\nactors created a Tor data leak site named 'Abyss-data' that currently lists fourteen victims.\r\nAbyss Locker data leak site\r\nSource: BleepingComputer\r\nThe threat actors claim to have stolen anywhere between 35 GB of data from one company to as high as 700 GB at another.\r\nTargeting VMware ESXi servers\r\nThis week, security researcher MalwareHunterTeam found a Linux ELF encryptor for the Abyss Locker operation and\r\nshared it with BleepingComputer for analysis.\r\nAfter looking at the strings in the executable, it is clear that the encryptor specifically targets VMware ESXi servers.\r\nAs you can see from the commands below, the encryptor utilizes the 'esxcli' command-line VMware ESXi management tool\r\nto first list all available virtual machines and then terminate them.\r\nesxcli vm process list\r\nesxcli vm process kill -t=soft -w=%d\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 3 of 5\n\nesxcli vm process kill -t=hard -w=%d\r\nesxcli vm process kill -t=force -w=%d\r\nWhen shutting down the virtual machines, Abyss Locker will use the 'vm process kill' command and one of the soft, hard, or\r\nforced options.\r\nThe soft option performs a graceful shutdown, the hard option terminates a VM immediately, and force is used as a last\r\nresort.\r\nThe encryptor terminates all virtual machines to allow the associated virtual disks, snapshots, and metadata to be properly\r\nencrypted by encrypting all files with the following extensions: .vmdk (virtual disks), .vmsd (metadata), and .vmsn\r\n(snapshots).\r\nIn addition to targeting virtual machines, the ransomware will also encrypt all other files on the device and append the\r\n.crypt extension to their filenames, as shown below.\r\nEncrypted files and ransom notes\r\nSource: BleepingComputer\r\nFor each file, the encryptor will also create a file with a .README_TO_RESTORE extension, which acts as the ransom\r\nnote.\r\nThis ransom note contains information on what happened to the files and a unique link to the threat actor's Tor negotiation\r\nsite. This site is barebones, only having a chat panel that can be used to negotiate with the ransomware gang.\r\nAbyss Locker ransom note\r\nSource: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 4 of 5\n\nRansomware expert Michael Gillespie said that the Abyss Locker Linux encryptor is based on Hello Kitty, using ChaCha\r\nencryption instead.\r\nHowever, it is not known if this is a rebrand of the HelloKitty operation or if another ransomware operation gained access to\r\nthe encryptor's source code, as we saw with Vice Society.\r\nUnfortunately, HelloKitty has historically been a secure ransomware, preventing the recovery of files for free.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/" ], "report_names": [ "linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47786b22c45c340d6eee2b8b4230c10a0d93ff1b.pdf", "text": "https://archive.orkl.eu/47786b22c45c340d6eee2b8b4230c10a0d93ff1b.txt", "img": "https://archive.orkl.eu/47786b22c45c340d6eee2b8b4230c10a0d93ff1b.jpg" } }