Helldown ransomware expands its reach, targeting Linux systems and virtualized environments

Cybersecurity experts have uncovered new details about Helldown, a ransomware strain that is evolving its tactics to target Linux systems and virtualized infrastructures. Initially identified as a Windows-based ransomware, Helldown has now been linked to attacks against Linux, signalling that the cybercriminal group behind it is expanding its operations.

According to Sekoia, a cybersecurity firm, Helldown is based on the LockBit 3.0 ransomware code, with new modifications aimed at targeting VMware environments and virtualized infrastructures. This development follows a broader trend where ransomware operators are shifting focus to virtualized systems, which can amplify the impact of their attacks.

Helldown was first discovered in August 2024 by Halcyon, which labelled it an "aggressive ransomware group" that gains access to networks by exploiting vulnerabilities. The group has been active in various sectors, including IT services, telecommunications, manufacturing, and healthcare.

Similar to other ransomware groups, Helldown employs a double extortion technique, where stolen data is threatened to be leaked unless the ransom is paid. It is believed to have attacked at least 31 companies in a short span of three months.

In a detailed analysis published earlier this month, Truesec explained the attack chain of Helldown, noting that the group often exploits vulnerabilities in internet-facing Zyxel firewalls to gain initial access. Once inside, they use techniques such as credential harvesting and lateral movement to escalate privileges before deploying the ransomware.

Sekoia's recent findings suggest that Helldown's attackers are taking advantage of both known and unknown vulnerabilities in Zyxel devices, which allow them to steal credentials and establish SSL VPN tunnels for persistent access.

The Windows version of Helldown performs several actions before encryption, including deleting system shadow copies, stopping database and Microsoft Office processes, and wiping traces of the attack. Once the encryption is complete, a ransom note is left, and the affected machine is shut down.

The Linux version, however, has been noted for its lack of sophisticated anti-debugging or obfuscation techniques. It primarily searches for files to encrypt but has a unique function of terminating active virtual machines (VMs) before initiating the encryption process. Despite this, research shows that the ransomware doesn't actively use this feature in its current form, suggesting that it may still be in development.

Interestingly, Helldown shares some behavioural similarities with DarkRace, a ransomware strain that emerged in 2023 and was later rebranded as DoNex. Both ransomware variants appear to be based on LockBit 3.0, and there are indications that Helldown could be another rebrand of this older code. However, a definitive link between the strains has yet to be confirmed.

Meanwhile, another ransomware group, Interlock, has also emerged, with a focus on the healthcare, government, and technology sectors in the U.S., as well as manufacturing targets in Europe. Unlike Helldown, Interlock is capable of encrypting both Windows and Linux machines. This development highlights the growing diversification of ransomware threats across multiple platforms and industries.