Helldown Ransomware Attacking VMware ESX And Linux Servers

Helldown, a brand new ransomware group, actively exploits vulnerabilities to breach networks, as since August 2024, they’ve compromised 28 victims, leaking their information on a devoted web site. 

The ransomware group IS has up to date its information leak web site, eradicating three victims, presumably indicating profitable ransom funds by persevering with its double extortion tactic, stealing and threatening to leak information if ransom calls for usually are not met.

It was energetic primarily in August and October and has compromised over 30 victims, together with small and medium-sized companies and bigger organizations like Zyxel Europe, as their focus appears to have shifted between energetic assaults and gear growth.

– Commercial –

An evaluation revealed that not less than eight victims, together with one compromised in early August, utilized Zyxel firewalls for IPSec VPN entry throughout their breach, the place two victims subsequently changed their Zyxel firewalls post-compromise, as indicated by Censys historic information. 

Zyxel firewalls with v5.38 firmware have been compromised, doubtlessly exploiting the important CVE-2024-42057 vulnerability.

An attacker uploaded a doubtlessly malicious ELF binary, presumably linked to the latest breaches, however the payload is incomplete.

Menace actors are exploiting vulnerabilities in Zyxel firewalls to create unauthorized accounts, resembling “SUPPOR87” and “VPN,” by way of SSL VPN, doubtlessly granting them unauthorized entry to sufferer techniques.

The Helldown group exploited a Zyxel vulnerability to compromise firewalls, utilizing the OKSDW82A account to entry the community by way of SSL VPN, the place post-compromise actions included lateral motion, privilege escalation, and the deployment of instruments like Superior Port Scanner and HRSword, indicating potential ransomware intentions.

It exfiltrates giant volumes of information, together with delicate paperwork, instantly from community file shares whereas being much less focused, intensifying stress on victims by exposing a variety of confidential info.

The Home windows executable payload is a ransomware variant that encrypts information, generates a ransom be aware, and persists on the contaminated system utilizing Home windows APIs.

The ransomware deletes system shadow copies, drops and executes a script to terminate important processes, encrypts information, modifies filenames and icons, generates a ransom be aware, removes its traces, and shuts down the system.

In response to Sekoia, it masses its configuration from an XOR-encrypted XML file, checks for administrator privileges, disables 64-bit redirection, after which encrypts specified information whereas deleting shadow copies and changing file icons with a ransom be aware.

By executing instructions, it deletes shadow copies, drops an icon, modifies the registry, after which terminates specified processes, creates a ransom be aware, and eventually shuts down the system. 

Helldown, a brand new risk actor, exploits undocumented Zyxel firewall vulnerabilities to realize community entry and deploy primary ransomware. Their success lies of their capability to take advantage of these vulnerabilities somewhat than the sophistication of their malware.

The group exploited a Zyxel vulnerability to deploy LockBit 3 ransomware, possible concentrating on virtualized VMware infrastructures, whereas this vulnerability, not but assigned a CVE, has been addressed by Zyxel in a latest firmware replace.

Are you from SOC/DFIR Groups? – Analyse Malware Recordsdata & Hyperlinks with ANY.RUN -> Attempt for Free