Threat Research

Emulating the Hellish Helldown Ransomware

AttackIQ
Emulating the Hellish Helldown Ransomware

Helldown is a newly identified ransomware strain that exhibits advanced modularity and anti-detection strategies, targeting both Windows and Linux systems. It utilizes double extortion tactics, exfiltrating sensitive data before encrypting victims’ systems, compelling them with threats of data leaks. The ransomware’s operational techniques include significant measures to hinder data recovery, making it a formidable threat across various sectors. Affected: museums, cargo transport firms, Zyxel’s European subsidiary

Keypoints :

  • Helldown ransomware was first identified in August 2024.
  • Operates using double extortion tactics by threatening to leak exfiltrated data.
  • Targets both Windows and Linux platforms.
  • Involves advanced operational strategies to hinder data recovery processes.
  • Victims range across multiple sectors including museums and transport firms.
  • AttackIQ has provided a new attack graph for organizations to validate their security controls against Helldown’s behavior.

MITRE Techniques :

  • Ingress Tool Transfer (T1105): Downloads malware to memory and disk to test security controls.
  • Virtualization/Sandbox Evasion (T1497): Uses the IsDebuggerPresent API to evade detection in sandboxes.
  • Inhibit System Recovery (T1490): Uses vssadmin.exe and wmic to delete Volume Shadow Copies.
  • Query Registry (T1012): Queries the MachineGUID from the registry to identify the system.
  • System Network Connections Discovery (T1049): Enumerates network resources using Windows API calls.
  • System Information Discovery (T1082): Retrieves system information using various Native API calls.
  • Data Encrypted for Impact (T1486): Encrypts files using an encryption routine based on Salsa20 and RSA-2048.

Indicator of Compromise :

  • [Executable] vssadmin.exe (used for deleting Volume Shadow Copies)
  • [Command] wmic (used for deleting Volume Shadow Copies)
  • [Windows API] IsDebuggerPresent (used for sandbox evasion)
  • [Windows API] GetSystemInfo (used to retrieve system information)
  • [Encryption Algorithm] Salsa20 + RSA-2048 (used for file encryption)

Full Story: https://www.attackiq.com/2025/04/24/emulating-helldown-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint