Abyss Locker Ransomware strikes from the depths — ShadowStackRE
Tags
attack-pattern: Data Malware - T1587.001 Malware - T1588.001 Software - T1592.002
Show in Graph
Common Information
Type Value
UUID c9365f26-2121-470c-94c8-f26b4f26d142
Fingerprint be14de1321218604
Analysis status DONE
Considered CTI value 0
Text language
Published Aug. 17, 2024, midnight
Added to db Aug. 31, 2024, 10:57 a.m.
Last updated Oct. 1, 2024, 3:47 p.m.
Headline Abyss Locker Ransomware
Title Abyss Locker Ransomware strikes from the depths — ShadowStackRE
Detected Hints/Tags/Attributes 42/1/9
Source URLs
Redirection Url
Details Source https://www.shadowstackre.com/analysis/abysslocker
URL Provider
Details Provider Source level domain
Details shadowstackre.com www.shadowstackre.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 434 ShadowStackRE https://www.shadowstackre.com/analysis?format=rss 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 10 
libcrypto.so
Details Domain 10 
shadowstackre.com
Details Domain 18 
opensource.org
Details File 1 
'work.log
Details File 5 
'.tmp
Details File 5 
work.log
Details sha256 4 
72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462
Details Url 10 
https://opensource.org/license/mit
Details Yara rule 1 
rule AbyssLocker {
	meta:
		description = "rule to detect ESXi variant of AbyssLocker"
		author = "ShadowStackRe.com"
		date = "2023-08-13"
		Rule_Version = "v1"
		malware_type = "ransomware"
		malware_family = "Ransom:Linux/AbyssLocker"
		hash1 = "72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462"
		License = "MIT License, https://opensource.org/license/mit/"
	strings:
		$usage_string = "Usage:%s [-m (5-10-20-25-33-50) -v -d] Start Path"
		$audit_log = "work.log"
		$prog_opts = "m:vdekc:"
		$daemon_switch = "switch to daemon"
		$encrypt_progress = "porgress %s:%.2f GB\ttotal %.2f GB\t%.2f sec.\t%.4f GB\\s"
		$file_ext = ".crypt"
		$readme_ext = ".README_TO_RESTORE"
		$readme_note = "We are the Abyss Locker"
	condition:
		all of them
}