Helldown Ransomware Attacking VMware ESXi And Linux Servers

Helldown, a new ransomware group, actively exploits vulnerabilities to breach networks, as since August 2024, they have compromised 28 victims, leaking their data on a dedicated website. 

The ransomware group IS has updated its data leak site, removing three victims, possibly indicating successful ransom payments by continuing its double extortion tactic, stealing and threatening to leak data if ransom demands are not met.

It was active primarily in August and October and has compromised over 30 victims, including small and medium-sized businesses and larger organizations like Zyxel Europe, as their focus seems to have shifted between active attacks and tool development.

- Advertisement -

An analysis revealed that at least eight victims, including one compromised in early August, utilized Zyxel firewalls for IPSec VPN access during their breach, where two victims subsequently replaced their Zyxel firewalls post-compromise, as indicated by Censys historical data. 

Zyxel firewalls with v5.38 firmware have been compromised, potentially exploiting the critical CVE-2024-42057 vulnerability.

An attacker uploaded a potentially malicious ELF binary, possibly linked to the recent breaches, but the payload is incomplete.

Threat actors are exploiting vulnerabilities in Zyxel firewalls to create unauthorized accounts, such as “SUPPOR87” and “VPN,” via SSL VPN, potentially granting them unauthorized access to victim systems.

The Helldown group exploited a Zyxel vulnerability to compromise firewalls, using the OKSDW82A account to access the network via SSL VPN, where post-compromise activities included lateral movement, privilege escalation, and the deployment of tools like Advanced Port Scanner and HRSword, indicating potential ransomware intentions.

It exfiltrates large volumes of data, including sensitive documents, directly from network file shares while being less targeted, intensifying pressure on victims by exposing a wide range of confidential information.

The Windows executable payload is a ransomware variant that encrypts files, generates a ransom note, and persists on the infected system using Windows APIs.

The ransomware deletes system shadow copies, drops and executes a script to terminate critical processes, encrypts files, modifies filenames and icons, generates a ransom note, removes its traces, and shuts down the system.

According to Sekoia, it loads its configuration from an XOR-encrypted XML file, checks for administrator privileges, disables 64-bit redirection, and then encrypts specified files while deleting shadow copies and replacing file icons with a ransom note.

By executing commands, it deletes shadow copies, drops an icon, modifies the registry, and then terminates specified processes, creates a ransom note, and finally shuts down the system. 

Helldown, a new threat actor, exploits undocumented Zyxel firewall vulnerabilities to gain network access and deploy basic ransomware. Their success lies in their ability to exploit these vulnerabilities rather than the sophistication of their malware.

The group exploited a Zyxel vulnerability to deploy LockBit 3 ransomware, likely targeting virtualized VMware infrastructures, while this vulnerability, not yet assigned a CVE, has been addressed by Zyxel in a recent firmware update.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free