Helldown ransomware is a relatively new and evolving threat in the cybersecurity landscape. Initially targeting Windows systems, it has now expanded to attack VMware and Linux environments. This ransomware group employs a double-extortion model, meaning they exfiltrate sensitive data before encrypting systems and then threaten to leak the stolen information if ransoms are not paid.
The Helldown operation has claimed 31 victims over the past three months, largely by using a Windows version of its crypto-locking malware, together with a data-leak site where it attempts to name and shame victims
One of the key tactics used by Helldown is exploiting vulnerabilities especially CVE-2024-42057 in Zyxel firewalls to gain initial access to networks. The attackers then move laterally within the network, disable security measures, and exfiltrate data. The Linux variant of Helldown is particularly concerning as it targets VMware virtual machines, aiming to shut them down before encryption.
On September 3, Zyxel publicly disclosed a command injection vulnerability in the IPSec VPN feature of some firewall versions. This vulnerability allowed unauthenticated attackers to execute OS commands by sending a crafted username. Last month, Zyxel warned that attackers had stolen credentials from previous vulnerabilities and used them to gain remote access to patched devices. The stolen credentials allowed attackers to create SSL VPN tunnels and modify security policies, granting them access to devices and networks
As per the advisory “Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as ‘SUPPOR87’, ‘SUPPOR817’ or ‘vpn’, and modify the security policies to provide them with access to the device and network,”
In one another intrusion, documented by security firm Trusec on Nov. 7, the attacker used a local, externally facing account in a Zyxel firewall and then used the domain controller’s LDAP synchronization credentials to pivot further into the network, including gaining full access to Active Directory. After that, the attacker deployed a hellenc.exe encryptor on multiple endpoints, which forcibly encrypted multiple files on each system, then removed itself and rebooted the endpoints, leaving a ransom note on their desktops.
Helldown claims on its leak site to have exfiltrated 400GB+ of data from individual victims. These claims could not be confirmed. Sekoia said even if the ransomware group did attempt to leak such large quantities of data via its leak site, whether anyone could practically download it remains questionable, given the slow speed of downloads from the dark web.
Despite its rapid growth and increasing sophistication, the Helldown ransomware still shows signs of being under development, especially in its Linux variant. This ongoing evolution makes it a significant threat that cybersecurity teams need to monitor closely.
Indicators of Compromise
- 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfabf
- 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
- 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfab
- 7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7
- 7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872
- 3e3fad9888856ce195c9c239ad014074f687ba288c78ef26660be93ddd97289e
- 2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e1
- 47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19
- cb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea
- 67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733
- 2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0
- 9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c
- ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe
