Threat Research

Understanding the Emerging Threat of Helldown Ransomware

SekoiaIO

Helldown is an emerging ransomware group that now targets both Windows and Linux systems, using double extortion and large-scale data theft to pressure victims. The group leverages vulnerabilities in Zyxel firewalls for initial access and shows tooling/behavioral similarities to other families such as Darkrace and Donex. #Helldown #Zyxel

Keypoints

  • Helldown has recently expanded activity to target both Windows and Linux environments.
  • Operates a double extortion model: encrypting files and threatening to publish stolen data if ransoms are not paid.
  • Common initial access vector is exploiting vulnerabilities in Zyxel firewalls.
  • At least 31 victims identified, primarily small and medium-sized businesses, including Zyxel Europe.
  • Large-scale data exfiltration observed, averaging around 70 GB per incident.
  • Technical indicators and code/behavioral overlaps suggest similarities with Darkrace and Donex ransomware families.

MITRE Techniques

  • [T1190] Initial Access – Exploits vulnerabilities in Zyxel firewalls to gain entry into networks (‘Exploits vulnerabilities in Zyxel firewalls to gain entry into networks.’)
  • [T1041] Data Exfiltration – Exfiltrates large volumes of data from compromised systems (‘Exfiltrates large volumes of data from compromised systems.’)
  • [T1071] Command and Control – Uses various command and control methods to maintain communication with compromised systems (‘Uses various command and control methods to maintain communication with compromised systems.’)
  • [T1203] Execution – Executes malicious payloads to encrypt files on victim machines (‘Executes malicious payloads to encrypt files on victim machines.’)
  • [T1486] Impact – Encrypts files and demands ransom for decryption (‘Encrypts files and demands ransom for decryption.’)

Indicators of Compromise

  • [File Hash] Helldown payload hashes – 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfabf, 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd, and 5 more hashes

Read more: https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/ – get from article

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint