Abyss is ransomware observed in a small number of incidents affecting industrial organizations. Dragos listed Abyss among minimal-activity groups in 2025, with one reported industrial incident in the cited reporting period. High-confidence reporting also links Abyss-related intrusions to compromises of SonicWall SMA appliances. Google Threat Intelligence Group identified noteworthy overlaps between activity by UNC6148 on end-of-life SonicWall SMA 100 devices and Abyss-related ransomware incidents. In late 2023, Truesec investigated an Abyss ransomware incident in which attackers installed a web shell on an SMA appliance, and the web shell reportedly maintained persistence despite firmware updates. In March 2024, incident response reporting from InfoGuard AG described a similar SMA device compromise that also resulted in deployment of Abyss malware. Based on the cited content, Abyss has been associated with persistence on compromised edge appliances, particularly SonicWall SMA devices, and deployment following appliance compromise. The content does not provide further confirmed technical details on Abyss encryption behavior, ransom workflow, specific victimology beyond industrial-sector reporting, or distinct indicators of compromise.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Minimal-activity ransomware brand referenced as part of the long-tail of operators.
Ransomware referenced in incidents involving SonicWall SMA appliance compromise; attackers reportedly maintained persistence (e.g., via web shell) and later deployed Abyss.
Ransomware operation referenced as minimal activity in Q2 2025 (no additional detail provided).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.