Threat Research

Understanding the Emerging Threat of Helldown Ransomware

SekoiaIO

Summary:

The report discusses the emergence of the Helldown ransomware group, which has recently expanded its operations to target Linux systems in addition to its previous focus on Windows. The group employs double extortion tactics and exploits vulnerabilities in Zyxel firewalls to gain initial access to victims’ networks. With a significant number of victims reported, Helldown’s methods and techniques are still being analyzed, revealing similarities to other ransomware families.

Keypoints:

  • Helldown ransomware group is newly active, targeting both Windows and Linux systems.
  • Utilizes double extortion tactics, threatening to publish stolen data if ransom is not paid.
  • Exploits vulnerabilities in Zyxel firewalls for initial access to victims’ networks.
  • Has compromised 31 victims, primarily small and medium-sized businesses, including Zyxel Europe.
  • Engages in large-scale data exfiltration, averaging 70GB per incident.
  • Technical analysis reveals similarities between Helldown and other ransomware families like Darkrace and Donex.

MITRE Techniques

  • Initial Access (T1190): Exploits vulnerabilities in Zyxel firewalls to gain entry into networks.
  • Data Exfiltration (T1041): Exfiltrates large volumes of data from compromised systems.
  • Command and Control (T1071): Uses various command and control methods to maintain communication with compromised systems.
  • Execution (T1203): Executes malicious payloads to encrypt files on victim machines.
  • Impact (T1486): Encrypts files and demands ransom for decryption.

IoC:

  • [File Hash] 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfabf
  • [File Hash] 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
  • [File Hash] 9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c
  • [File Hash] ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe
  • [File Hash] 2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e
  • [File Hash] 67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733
  • [File Hash] 2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0

Full Research: https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/

Tags: EXFILTRATION, IMPACT, LINUX, WINDOWS, large, INITIAL ACCESS, full, medium