Helldown

Malware updated 5 hours ago (2024-11-21T11:32:09.823Z)

Download STIX

Preview STIX

Helldown, a malware intrusion set that first surfaced in August 2024, is causing significant concern in the cybersecurity community. Initially known for targeting Windows systems, the Helldown group has expanded its operations to include VMware ESX servers and Linux environments. According to a report by Sekoia’s Threat Detection & Research (TDR) team, the malware operates using a double-extortion model, frequently exploiting vulnerabilities in Zyxel firewalls to gain initial access. The recent discovery of a Linux variant suggests that Helldown is diversifying its targets, intensifying the threat it poses. The behavior of Helldown is similar to Darkrace, a LockBit variant that appeared in August 2023, which may have been rebranded as Donex earlier this year. Although the links between these ransomware strains are not conclusive, Sekoia posits that Helldown could be a rebrand of Donex. The malware typically targets data sources storing administrative files containing sensitive information, thereby increasing the pressure on victims. Analysis of the files published on Helldown's data leak site reveals them to be unusually large, averaging around 70GB. In terms of attack tactics, Helldown actors are likely accessing victim environments directly from their Internet-facing Zyxel firewall, particularly those running firmware version 5.38. They use legitimate tools and other living-off-the-land techniques to execute their mission on compromised networks. Furthermore, they exhibit a penchant for stealing large volumes of data from victims and threatening to leak the data unless a ransom is paid. This focus on VMware systems indicates an evolution in Helldown operators' strategy to disrupt virtualized infrastructures that many businesses rely on, marking a troubling shift in ransomware actor tactics.

Description last updated: 2024-11-21T10:32:17.111Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Donex is a possible alias for Helldown. DoNex is a form of malware, specifically ransomware, known for its harmful effects on computer systems and data. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, subsequently stealing personal information, disrupting operations, or holding data hos	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Linux

Ransomware

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Helldown. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2
The Darkrace Malware is associated with Helldown. DarkRace, a malicious software (malware), emerged in mid-2023 as a ransomware variant using tactics similar to the LockBit lineage. This was after the LockBit source code was leaked by a developer from the ransomware group in September 2022. DarkRace employed a double extortion method, holding stole	Unspecified	2

Source Document References

Information about the Helldown Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	DARKReading	8 hours ago	Linux Variant of Helldown Ransomware Targets VMware
	InfoSecurity-magazine	8 hours ago	Helldown Ransomware Expands to Target VMware and Linux Systems