Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.
“Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.
Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months.
Truesec, in an analysis published earlier this month, detailed Helldown attack chains that have been observed making use of internet-facing Zyxel firewalls to obtain initial access, followed by carrying out persistence, credential harvesting, network enumeration, defense evasion, and lateral movement activities to ultimately deploy the ransomware.
Sekoia’s new analysis shows that the attackers are abusing known and unknown security flaws in Zyxel appliances to breach networks, using the foothold to steal credentials and create SSL VPN tunnels with temporary users.
The Windows version of Helldown, once launched, performs a series of steps prior to exfiltrating and encrypting the files, including deleting system shadow copies and terminating various processes related to databases and Microsoft Office. In the final step, the ransomware binary is deleted to cover up the tracks, a ransom note is dropped, and the machine is shut down.
Its Linux counterpart, per the French cybersecurity company, lacks obfuscation and anti-debugging mechanisms, while incorporating a concise set of functions to search and encrypt files, but not before listing and killing all active virtual machines (VMs).
“The static and dynamic analysis revealed no network communication, nor any public key or shared secret,” it said. “This is notable, as it raises questions about how the attacker would be able to supply a decryption tool.”
“Terminating VMs before encryption grants ransomware write access to image files. However, both static and dynamic analysis reveal that, while this functionality exists in the code, it is not actually invoked. All these observations suggest that the ransomware is not highly sophisticated and may still be under development.”
Helldown Windows artifacts have been found to share behavioral similarities with DarkRace, which emerged in May 2023 using code from LockBit 3.0 and later rebranded to DoNex. A decryptor for DoNex was made available by Avast back in July 2024.
“Both codes are variants of LockBit 3.0,” Sekoia said. “Given Darkrace and Donex’s history of rebranding and their significant similarities to Helldown, the possibility of Helldown being another rebrand cannot be dismissed. However, this connection cannot be definitively confirmed at this stage.”
The development comes as Cisco Talos disclosed another emerging ransomware family known as Interlock that has singled out healthcare, technology, and government sectors in the U.S., and manufacturing entities in Europe. It’s capable of encrypting both Windows and Linux machines.
Attack chains distributing the ransomware have been observed using a fake Google Chrome browser updater binary hosted on a legitimate-but-compromised news website that, when run, unleashes a remote access trojan (RAT) that allows the attackers to extract sensitive data and execute PowerShell commands designed to drop payloads for harvesting credentials and conducting reconnaissance.
“In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain,” Talos researchers said.
Interlock is assessed to be a new group that sprang forth from Rhysida operators or developers, the company added, citing overlaps in tradecraft, tools, and ransomware behavior.
“Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape,” it said. “We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups.”
Coinciding with the arrival of Helldown and Interlock is another new entrant to the ransomware ecosystem called SafePay, which claims to have targeted 22 companies to date. SafePay, per Huntress, also uses LockBit 3.0 as its base, indicating that the leak of the LockBit source code has spawned several variants.
In two incidents investigated by the company, “the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range,” Huntress researchers said.
“The threat actor was able to use valid credentials to access customer endpoints, and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this