Helldown, a new ransomware group, has been exploiting vulnerabilities to breach networks and compromise victims since August 2024, with 28 breaches reported so far. They have been leaking stolen data on a dedicated website.
Recently, the group updated its data leak site, removing three victims, which suggests successful ransom payments. This indicates Helldown is continuing its double extortion tactic, where they steal data and threaten to leak it unless the ransom is paid.
Helldown Ransomware
Helldown was most active in August and October, compromising over 30 victims, including small and medium-sized businesses, as well as larger organizations like Zyxel Europe. Their focus appears to have shifted between carrying out attacks and developing new tools.
An analysis showed that at least eight victims, including one breached in early August, used Zyxel firewalls for IPSec VPN access during their compromise.
Two victims replaced their firewalls afterward, according to Censys data. Zyxel firewalls with v5.38 firmware were exploited, likely using the critical CVE-2024-42057 vulnerability. An attacker also uploaded a malicious ELF binary, possibly tied to the breaches, but the payload was incomplete.
Threat actors are exploiting vulnerabilities in Zyxel firewalls to create unauthorized accounts like “SUPPOR87” and “VPN” through SSL VPN, gaining potential access to victim systems.
The Helldown group used a Zyxel vulnerability to compromise firewalls, leveraging the OKSDW82A account for SSL VPN access. After gaining access, they performed lateral movement, escalated privileges, and deployed tools such as Advanced Port Scanner and HRSword, suggesting possible ransomware motives.
The ransomware exfiltrates large amounts of sensitive data from network file shares and increases pressure on victims by exposing a wide array of confidential information.
The Windows executable payload encrypts files, creates a ransom note, and maintains persistence on the system through Windows APIs. It also deletes shadow copies, runs a script to terminate critical processes, encrypts files, alters filenames and icons, generates a ransom note, erases traces, and shuts down the system.
Helldown, a new threat actor, exploits Zyxel firewall vulnerabilities to gain network access and deploy basic ransomware like LockBit 3. The ransomware encrypts files, deletes shadow copies, and replaces icons with a ransom note. It uses an XOR-encrypted XML file for configuration, checks for admin rights, and terminates processes before shutting down the system. Zyxel has fixed this issue in a recent firmware update.
IoCs
- Helldown Windows payload – sha256
0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfab
7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7
7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872
3e3fad9888856ce195c9c239ad014074f687ba288c78ef26660be93ddd97289e
- Helldown Windows – icon, ransom note and scripts – sha256
2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e1
47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19
cb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea
67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733
2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0 (overlap with Darkrace and Donex)
- Helldown Linux payload – sha256
6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
- Helldown Linux – ransom note – sha256
9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c
- Zyxel compromission artefact (zzz1.conf) – sha256
ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment