Abyss Locker Ransomware Linux Version Targets VMware ESXi Servers


July 31, 2023

World map

The Abyss Locker gang are the latest ransomware operators to develop a Linux version that target VMware's ESXi virtual machines.

“With VMware ESXi being one of the most popular virtual machine platforms, almost every ransomware gang has begun to release Linux encryptors to encrypt all virtual servers on a device,” Bleeping Computer reports.

“Other ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include Akira, Royal, BlackBasta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.”

Abyss Locker is a newer ransomware operation that first emerged in March 2023.

Takeaway: While there is constant change in the ransomware economy with new groups emerging constantly, what has not changed is the fact that these criminal organizations continue to be profitable.  

More ransomware gangs have been developing Linux versions over the last year, expanding their addressable target range, but not much attention has been paid to what this trend potentially means for the threat landscape.  

While Linux has a much smaller desktop footprint than Windows systems, Linux runs the most important systems including, web servers, most embedded and IoT devices used in manufacturing and energy, smartphones and supercomputers, most of the US government and military networks, and critical backbone systems in any large network.

Yet, we rarely see discussion around ransomware targeting Linux systems in the media. Groups like LockBit, IceFire, Black Basta, Cl0p, Akira – and now Abyss and others – have each developed Linux targeting capabilities, which makes the likelihood we will see widespread, disruptive ransomware attacks in the near future a distinct possibility.

Any organization running critical Linux distributions should start preparing to defend these systems – but defending them is a challenge. Linux systems have very few security solution options available, and virtually none that focus on stopping specifically ransomware.

The targeting of Linux systems has the potential to cause a serious disruption beyond the scale of what we saw in the Colonial Pipeline attack. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.