abyss-data

Abyss‑Data, also known as Abyss Locker, is a ransomware operation first identified around March 2023. It conducts double extortion by exfiltrating data and encrypting systems—particularly targeting VMware ESXi virtual environments—then threatening to leak stolen data via a TOR-based leak site if ransom demands aren't met. The group’s Linux variant derives from the Babuk ransomware source code with encryption resembling HelloKitty, using ChaCha–based ciphers. On Windows, Abyss Locker encrypts files (typically appending “.abyss” or randomized extensions), deletes Volume Shadow Copies, manipulates boot policy to disable recovery, and delivers ransom notes (e.g., WhatHappened.txt), often replacing the desktop wallpaper as part of its extortion tactics. Its campaigns have targeted diverse industries—finance, healthcare, manufacturing, technology—across multiple regions, with victim lists prominently featuring organizations in North America.