A new ransomware group named ‘Helldown’ has emerged on the threat landscape, exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate systems. According to cybersecurity firms Truesec and Sekoia, the vulnerability aligns with a bug (CVE-2024-42057) publicly reported in Zyxel's forums earlier this month.
First spotted in August 2024, Helldown has targeted over 30 organizations, listing their names on its dark web extortion portal.
The first instance of a Linux-based variant of Helldown ransomware was discovered in October 2024. This version, designed to target VMware files, includes functionalities to identify and terminate virtual machines before encrypting disk images. However, analysts noted that the Linux variant's capabilities appear incomplete, suggesting it is still under development.
Helldown's Windows version, meanwhile, reportedly borrows from the leaked LockBit 3 builder and exhibits operational similarities to Darkrace and Donex ransomware. However, there is no definitive evidence linking Helldown to the other groups.
Helldown often gains initial access by compromising Zyxel firewalls. In one case, the group accessed a victim’s internal environment via the LAN IP address of a Zyxel firewall.
Forensics indicated unexpected network traffic originating from the internal IP address, bypassing the default behavior of Zyxel’s SSL-VPN service, which assigns authenticated users an IP from a predefined pool. While the exact method remains unconfirmed, evidence suggests the firewalls themselves may have been exploited rather than merely misused via SSL-VPN credentials.
Helldown also created local user accounts on compromised firewalls to establish persistence and was observed employing tools like Mimikatz to extract Active Directory credentials. Additionally, the group used Advanced Port Scanner, downloaded directly from GitHub, to map networks and identify further targets within victim environments.
As of November 7, Helldown's leak site listed 31 victims, primarily small and medium-sized businesses in the United States and Europe. This number has since decreased to 28, suggesting some victims may have paid the ransom.
Unlike other ransomware groups that steal and publish select, high-value data, Helldown indiscriminately uploads massive datasets. In one instance, the group shared a data pack exceeding 431GB.