Source: Nicolas Bentancor via Shutterstock

The purveyor of a rapidly emerging ransomware family being tracked as "Helldown" introduced a new Linux variant, targeting organizations across multiple sectors using VMware ESXi servers.

Several of the victims had Zyxel firewalls deployed as IPSec VPN access points at the time of breach, suggesting the attackers exploited a vulnerability or vulnerabilities in the technology to gain initial access, security researchers at Sekoia reported this week. Since surfacing in August, the group behind Helldown has quickly notched 31 victims, many of them US-based.

Undocumented Zyxel Vulnerabilities?

Available telemetry suggests the Zyxel flaw that the attackers are exploiting is undocumented, Seokia said. But Zyxel has issued fixes for multiple vulnerabilities in its firewalls after Helldown actors breached the company's network, also in August, and then leaked some 250GB worth of data. As of mid-November, no exploit code for any of these vulnerabilities appears to be publicly available, Sekoia said, while leaving open the possibility that the Helldown attackers could be exploiting any one of the vulnerabilities.

"Helldown is a notably active new intrusion set, as shown by its large number of victims," Sekoia researcher Jeremy Scion wrote this week. "Available data indicates that the group mainly targets Zyxel firewalls by exploiting undocumented vulnerabilities." Though the ransomware itself is standard fare, what makes the group dangerous is its apparent access to and effective use of undocumented vulnerability code, Scion noted.

Zyxel firewalls, like many other network and edge technologies, are a popular attacker target. Threat actors have been quick to exploit flaws in the company's products in various campaigns in the past, including one dubbed IZ1H9 that targeted Internet-of-Things (IoT) networks; another involving a Mirai variant; and another that hit Danish critical infrastructure.  

A Troubling Shift

Patrick Tiquet, vice president security and architecture at Keeper Security, viewed Helldown as a troubling shift in ransomware actor tactics. "While ransomware targeting Linux isn't unprecedented, Helldown's focus on VMware systems shows its operators are evolving to disrupt the virtualized infrastructures many businesses rely on," he said via email. "The message to security teams is clear: patch known vulnerabilities, monitor for unusual activity, and treat virtualized environments with the same vigilance as traditional ones."

Multiple security vendors have reported attacks involving Helldown since early August. Most of its victims have been small and medium sized businesses across different sectors, including transportation, manufacturing, healthcare, telecommunications, and IT services. Halycon, one of the first to spot Helldown, described the group as "highly aggressive" and capable of causing substantial disruption and financial losses to victims. According to Halycon, Helldown actors have a penchant for stealing large volumes of data from victims and threatening to leak the data unless it receives a ransom.

In a report earlier this month, Truesec perceived the threat actor as being more sophisticated in its initial compromise techniques compared to better known ransomware operators, such as the one behind Akira. In the attacks that Truesec analyzed, Helldown threat actors leveraged legitimate tools and other living-off-the-land techniques to execute their mission on a compromised network.

Dangerous Adversary

"Recent incidents showed that the group will thoroughly remove tools utilized during a compromise, as well as override the free disk space on the hard drive of different machines, in attempts to hinder the recovery process and reduce the effectiveness of file carving," Trusec observed. Helldown actors likely accessed victim environments directly from their Internet-facing Zyxel firewall, the security vendor posited. Once on a victim network, the threat actor used either TeamViewer or the default Windows RDP client for lateral movement, PowerShell for remote code execution, and Mimikatz to search for and retrieve credentials.

According to Sekoia, reports from multiple Helldown victims indicate that the attacker compromised Zyxel firewalls running firmware version 5.38. "Specifically, a file named zzz1.conf was uploaded, and a user account called OKSDW82A was created" on compromised systems, Scion noted. The attacker then used the temporary account to create an SSL VPN tunnel for accessing and pivoting further into the victim network.  

The attack chain included attempts by the threat actor to disable endpoint detection mechanisms using a tool called HRSword; leverage the domain controller's LDAP credentials to burrow deeper into the network; use certutil to download Advanced Port Scanner; use RDP or TeamViewer for remote access and lateral movement; and use PSExec for remote code execution.

Scion said Sekoia's analysis of the files that Helldown actors have published on their data leak site showed many of them to be unusually large and averaging around 70GB. The biggest file, in fact, weighed in at a hefty 431GB, which is noteworthy because ransomware actors typically tend to be more selective in the files they steal and use for extortion. The contents of the stolen files also tended to be more variable and random than usual for a ransomware operation. "The large volume and variety of data suggest that the attacker does not selectively choose which documents to steal," Scion said. "Instead, they appear to target data sources that store administrative files, such as PDFs and document scans, which typically contain sensitive information (personal, financial, etc.), thereby intensifying the pressure on victims."

Helldown's behavior itself is similar to that of Darkrace, a LockBit variant that first surfaced in August 2023 and may have been rebranded as Donex in February of this year. Though the links between the ransomware strains are not conclusive, there is a possibility that Helldown is a rebrand of Donex, Sekoia said.