September 29, 2023

Ransomware attacks on enterprise networks have increasingly focused on virtual machines, as the adoption of VMware’s ESXi platform for improved resource management and disaster recovery.

Almost every major ransomware operation has developed Linux encryptors to target VMware ESXi, including Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

Abyss Locker, a newly emerged ransomware operation, has been targeting companies since March 2023. Like other groups, Abyss Locker hackers breach corporate networks, steal data to extort victims, and encrypt devices on the network. They threaten to leak the stolen files unless a ransom is paid. The threat actors have also created a Tor data leak site called “Abyss-data,” currently listing fourteen victims.


Security researcher MalwareHunterTeam recently discovered and shared a Linux ELF encryptor associated with the Abyss Locker operation. Analysis shows that the encryptor specifically targets VMware ESXi servers. It uses the ‘esxcli’ command-line VMware ESXi management tool to list available virtual machines and terminate them.

The encryptor terminates all virtual machines to ensure proper encryption of associated virtual disks, snapshots, and metadata. It also encrypts all other files on the device and appends the ‘.crypt’ extension to their filenames

Each encrypted file is accompanied by a ransom note with the ‘.README_TO_RESTORE’ extension. The note provides information about the attack and includes a unique link to the threat actor’s Tor negotiation site for ransom negotiation.


Although the Abyss Locker Linux encryptor is based on Hello Kitty ransomware, it utilizes ChaCha encryption instead. It is still unclear whether the encryptor is a rebranding of the HelloKitty operation or if another ransomware group acquired its source code.

Unfortunately, HelloKitty has proven to be a formidable ransomware, preventing the recovery of files without payment.

Leave a Reply

%d bloggers like this: