FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Abyss Locker Ransomware: Attack Flow & Defense Strategies | Sygnia

Securonix
Abyss Locker Ransomware: Attack Flow & Defense Strategies | Sygnia
Abyss Locker is a new ransomware threat group that emerged in 2023, targeting critical network devices, particularly focusing on vulnerabilities in VPN appliances for initial access. The group employs various techniques, including credential harvesting and lateral movement, to compromise systems and exfiltrate data before deploying ransomware. Key defensive measures include patch management, network segmentation, and enhanced credential security. Affected: Ransomware sector, VPN appliances, network security

Keypoints :

  • Abyss Locker specializes in rapid and effective intrusions using ransomware.
  • Typically initiates attacks by exploiting unpatched VPN appliances, such as SonicWall.
  • Harvests credentials from backup appliances using modified PowerShell scripts.
  • Employs techniques to evade detection, including disabling security tools and modifying system processes.
  • Utilizes SSH/SOCKS tunneling for Command-and-Control communication.
  • Targets both Windows systems and ESXi hosts for encryption, deploying ransomware with distinct file extensions.
  • Recommends network segmentation and robust credential management to mitigate attacks.

MITRE Techniques :

  • T1133 – External Remote Services: Exploitation of unpatched VPN appliances for initial access.
  • T1543.003 – Create or Modify System Process: Windows Service: Deployment of the ‘WMI Helper Agent’ as a persistent service.
  • T1136.001 – Create Account: Local Account: Creation of a backdoor user on NAS devices.
  • T1078 – Valid Accounts: Local Accounts: Exploitation of high-privilege accounts for credential harvesting.
  • T1068 – Exploitation for Privilege Escalation: Exploitation of system vulnerabilities to elevate privileges.
  • T1562.001 – Impair Defenses: Disable or Modify Tools: Techniques employed to disable endpoint protection.
  • T1555 – Credentials from Password Stores: Harvesting credentials from Veeam backup systems.
  • T1003.002 – OS Credential Dumping: SAM: Remote dumping of the Security Account Manager.
  • T1046 – Network Service Discovery: Discovery of network services for lateral movement.
  • T1021.001 – Remote Services: RDP: Utilization of RDP for lateral movement.
  • T1021.004 – Remote Services: SSH: Leveraging SSH for remote command execution.
  • T1570 – Lateral Tool Transfer: Use of tools like PsExec for lateral movement.
  • T1005 – Data from Local System: Exfiltrating data using tools such as ‘Rclone’.
  • T1486 – Data Encrypted for Impact: Deployment of ransomware post-exfiltration.
  • T1490 – Inhibit System Recovery: Deletion of volume shadow copies to hinder recovery efforts.

Indicator of Compromise :

  • [File] Backdoor (wmihelper.exe) – c:usersappdataroamingmicrosoftwmiwmihelper.exe
  • [Hash] Backdoor (wmihelper.exe) – SHA256: 05b82d46ad331cc16bdc00de5c6332c1ef818df8ceefcd49c726553209b3a0da
  • [File] ‘Rclone’ utility – C:WindowsSystem32rclone
  • [File] Anti-virus killer – C:WindowsTempSophosAV.exe
  • [IP Address] C2 IP Address – 64.95.12.57

Full Story: https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/

Views: 6

Tags: PATCH, DNS, CVE, IMPACT, LATERAL MOVEMENT, VPN, EDR, CREDENTIAL