Linux Variant of Helldown Ransomware Targets VMware ESX Servers

Cybersecurity firm Sekoia has discovered a new variant of Helldown ransomware. The article details their tactics and how they exploit vulnerabilities in network devices, steal sensitive data, and encrypt critical systems.

Sekoia’s cybersecurity researchers have discovered a Linux variant of the new ransomware strain, Helldown, first found by Halcyon and deploys Windows ransomware derived from the LockBit 3.0 code. 

Helldown is a relatively new ransomware group that has been actively targeting organizations since August 2024, affecting over 30 firms in three months. This threat actor primarily exploits vulnerabilities in network devices, particularly Zyxel firewalls.

Once they gain access, they employ a double extortion strategy, encrypting critical data and threatening to leak sensitive information if a ransom is not paid. Researchers suspect that the group is expanding its attacks to target virtualized infrastructures via VMware, “given the recent development of ransomware targeting ESX.” 

Helldown’s Linux variant specifically targets VMware ESX servers. This variant was first spotted by cybersecurity researcher Alex Turing (@TuringAlex) on 31 October 2024. 

According to Sekoia’s blog post shared with Hackread.com, the ransomware’s code focuses on a sample of VMware ESX servers and is straightforward, lacking obfuscation and anti-debugging mechanisms. The main function executes a simple workflow, including configuration loading, file search, encryption, and ransom note creation.

The code also includes a function called kill_vms, which lists and kills VMs sequentially. Terminating VMs before encryption grants ransomware write access to image files, but static and dynamic analysis shows this functionality is not invoked, indicating that the ransomware is still under development or not that advanced.

On its dark web data leak site, the group has disclosed a large amount of data, ranging from 22GB to 431GB, and averaging 70GB excluding outliers. The stolen files are mostly PDFs or scanned documents, likely obtained from servers like NAS systems or electronic document management portals. The large volume suggests the attacker targets data sources storing administrative files, which typically contain sensitive information.

Researchers suspect a connection between Helldown vs. Hellcat and Darkrace/Donex groups, due to the timing of a company (Schneider Electric) compromise and social media activity by alleged Hellcat operators. However, no technical similarities have been found between these groups so far. 

“Two accounts on the X social media, @grepcn and @ReyBreached, claiming to be Hellcat operators, posted to distinguish themselves from Helldown, each displaying Hellcat’s DLS link in their profiles.”

Sekoia’s Threat Detection & Research (TDR) team

For your information, @grepcn has been quite active on Breach Forums. They are also the hacker behind recent data breaches involving Dell (1, 2, 3) and Twilio.

It is also worth noting, though, that Helldown shares behavioural similarities with Darkrace, as both likely originated from leaked LockBit 3 code, and is suspected to be a rebrand of Darkrace.

Nevertheless, to protect against the Helldown attack, organizations should patch their network devices, particularly Zyxel firewalls, with the latest security updates. Adopting crucial security measures like network segmentation, access controls, and regular backups, and educating employees on cybersecurity best practices, including phishing awareness and secure password usage is essential to address evolving ransomware threats proactively.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed on in the latest development stating that Helldown ransomware represents a sophisticated evolution of modern malware.

“Helldown is a prime example of how cybercriminals are piecing together all of the elements of modern malware to create a formidable threat. All of the elements of this malware variant have been seen before, but we are increasingly seeing malware that is strengthening on all fronts,“ Jason explained.

He added that security teams must design protection assuming adversaries will use advanced, well-crafted techniques, rather than relying on flaws or oversights by attackers to mitigate threats.

“From fileless execution to strong custom encryption, this malware variant teaches us that we can’t rely on our adversaries to make mistakes that give us an easy way to mitigate their attacks. Security architects who are building defensive systems against attacks such as this should assume that adversaries are bringing a sophisticated set of tools with few weak spots.“

RELATED TOPICS

1. Telegram-Controlled TgRat Trojan Targets Linux Servers
2. Hackers Deploy Linux FASTCash Malware for ATM Cashouts
3. Play Ransomware Variant Targeting Linux ESXi Environments
4. AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine
5. Linux Malware ‘Perfctl’ Hits Millions by Mimicking System Files