Cybersecurity researchers have make clear a Linux variant of a comparatively new ransomware pressure known as Helldown, suggesting that the risk actors are broadening their assault focus.
“Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia stated in a report shared with The Hacker Information. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates goal networks by exploiting safety vulnerabilities. Among the outstanding sectors focused by the cybercrime group embody IT companies, telecommunications, manufacturing, and healthcare.
Like different ransomware crews, Helldown is recognized for leveraging information leak websites to strain victims into paying ransoms by threatening to publish stolen information, a tactic referred to as double extortion. It is estimated to have attacked at the least 31 corporations inside a span of three months.
Truesec, in an evaluation revealed earlier this month, detailed Helldown assault chains which were noticed making use of internet-facing Zyxel firewalls to acquire preliminary entry, adopted by finishing up persistence, credential harvesting, community enumeration, protection evasion, and lateral motion actions to in the end deploy the ransomware.
Sekoia’s new evaluation reveals that the attackers are abusing recognized and unknown safety flaws in Zyxel home equipment to breach networks, utilizing the foothold to steal credentials and create SSL VPN tunnels with momentary customers.
The Home windows model of Helldown, as soon as launched, performs a sequence of steps previous to exfiltrating and encrypting the recordsdata, together with deleting system shadow copies and terminating varied processes associated to databases and Microsoft Workplace. Within the closing step, the ransomware binary is deleted to cowl up the tracks, a ransom observe is dropped, and the machine is shut down.
Its Linux counterpart, per the French cybersecurity firm, lacks obfuscation and anti-debugging mechanisms, whereas incorporating a concise set of capabilities to go looking and encrypt recordsdata, however not earlier than itemizing and killing all energetic digital machines (VMs).
“The static and dynamic analysis revealed no network communication, nor any public key or shared secret,” it stated. “This is notable, as it raises questions about how the attacker would be able to supply a decryption tool.”
“Terminating VMs before encryption grants ransomware write access to image files. However, both static and dynamic analysis reveal that, while this functionality exists in the code, it is not actually invoked. All these observations suggest that the ransomware is not highly sophisticated and may still be under development.”
Helldown Home windows artifacts have been discovered to share behavioral similarities with DarkRace, which emerged in Might 2023 utilizing code from LockBit 3.0 and later rebranded to DoNex. A decryptor for DoNex was made out there by Avast again in July 2024.
“Both codes are variants of LockBit 3.0,” Sekoia stated. “Given Darkrace and Donex’s history of rebranding and their significant similarities to Helldown, the possibility of Helldown being another rebrand cannot be dismissed. However, this connection cannot be definitively confirmed at this stage.”
The event comes as Cisco Talos disclosed one other rising ransomware household referred to as Interlock that has singled out healthcare, expertise, and authorities sectors within the U.S., and manufacturing entities in Europe. It is able to encrypting each Home windows and Linux machines.
Assault chains distributing the ransomware have been noticed utilizing a pretend Google Chrome browser updater binary hosted on a legitimate-but-compromised information web site that, when run, unleashes a distant entry trojan (RAT) that enables the attackers to extract delicate information and execute PowerShell instructions designed to drop payloads for harvesting credentials and conducting reconnaissance.
“In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain,” Talos researchers stated.
Interlock is assessed to be a brand new group that sprang forth from Rhysida operators or builders, the corporate added, citing overlaps in tradecraft, instruments, and ransomware conduct.
“Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape,” it stated. “We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups.”
Coinciding with the arrival of Helldown and Interlock is one other new entrant to the ransomware ecosystem known as SafePay, which claims to have focused 22 corporations up to now. SafePay, per Huntress, additionally makes use of LockBit 3.0 as its base, indicating that the leak of the LockBit supply code has spawned a number of variants.
In two incidents investigated by the corporate, “the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range,” Huntress researchers stated.
“The threat actor was able to use valid credentials to access customer endpoints, and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence.”
