Emergence of Helldown Ransomware Group Documented in Report
/ 3 min read
Quick take - A report released on November 14, 2024, details the emergence of the ransomware group Helldown, which has rapidly targeted small and medium-sized businesses, primarily in the United States, employing a double extortion strategy and exploiting vulnerabilities in Zyxel firewalls to exfiltrate sensitive data.
Fast Facts
- Helldown, a new ransomware group identified in August 2024, has quickly claimed 31 victims, primarily targeting small and medium-sized businesses in the U.S. and Europe.
- The group employs a double extortion strategy, exfiltrating sensitive data and threatening to publish it if ransom demands are not met, utilizing a Data Leak Site (DLS).
- Helldown exploits vulnerabilities, particularly in Zyxel firewalls, including a critical vulnerability (CVE-2024-42057) that allows malicious code execution without authentication.
- The group has developed ransomware variants for both Windows and Linux, with the Windows version capable of deleting shadow copies and encrypting files, while the Linux variant is still in development.
- Zyxel has released security patches to address the vulnerabilities exploited by Helldown, and the report provides indicators of compromise (IoCs) to help cybersecurity professionals mitigate threats.
Emergence of Helldown Ransomware Group
A report released on November 14, 2024, has shed light on the activities of a new ransomware group known as Helldown, marking its emergence in the cybersecurity landscape. First documented by Cyfirma in August 2024, Helldown has rapidly become a significant threat, claiming 31 victims within three months. The group primarily targets small and medium-sized businesses, although some larger corporations have also been affected. Most of the victims are located in the United States, with additional cases reported in Europe, including three incidents in France.
Tactics and Techniques
Helldown employs a double extortion strategy, exfiltrating sensitive data and threatening to publish it if ransom demands are not met. To facilitate this, Helldown has created a Data Leak Site (DLS), with changes observed in late August 2024. The group exploits vulnerabilities to gain initial access to networks, particularly focusing on vulnerabilities in Zyxel firewalls. A critical vulnerability, identified as CVE-2024-42057, allows for the execution of malicious code without authentication. Following reports of compromised Zyxel firewalls, Zyxel released security patches on September 3, 2024. Truesec CSIRT has confirmed incidents linked to Helldown involved exploiting these vulnerabilities.
Attackers use SSL VPN to connect to compromised networks, with the data exfiltrated by Helldown averaging around 70GB, though reported ranges vary from 22GB to as much as 431GB. The stolen information primarily consists of PDFs and scanned documents, often sourced from network-attached storage (NAS) systems or document management portals.
Ransomware Variants
Helldown has developed ransomware variants for both Windows and Linux systems. The Windows version deletes system shadow copies and encrypts files, modifying filenames and icons in the process. A ransom note is generated on the desktop post-encryption. A Linux variant, discovered on October 31, 2024, specifically targets VMware ESX servers. Unlike its Windows counterpart, the Linux code shows signs of being in development, lacking obfuscation and anti-debugging mechanisms. However, it also generates a ransom note and encrypts files based on defined criteria.
Despite operational similarities to other ransomware groups such as Darkrace and Donex, no definitive connections have been established. Helldown’s success appears to stem from exploiting undocumented vulnerabilities rather than relying on advanced ransomware techniques. Zyxel has confirmed that the vulnerabilities exploited by Helldown have been addressed in the latest firmware updates. The report includes indicators of compromise (IoCs) for both Windows and Linux payloads, aiming to assist cybersecurity professionals in identifying and mitigating threats posed by Helldown.
Original Source: Read the Full Article Here
