Cybersecurity experts have uncovered a Linux variant of a newer ransomware strain known as Helldown, indicating that the operators may be expanding their attack scope.
“Helldown leverages Windows ransomware derived from LockBit 3.0 code,” Sekoia stated in a report shared with The Hacker News. “With the recent emergence of ransomware aimed at ESX, it seems the group is adapting its operations to target virtualized infrastructures via VMware.”
Helldown was initially documented by Halcyon in mid-August 2024, which described it as an “aggressive ransomware group” that breaches target networks by exploiting security vulnerabilities. Key industries affected by the group include IT services, telecommunications, manufacturing, and healthcare.
Similar to other ransomware groups, Helldown employs data leak sites to coerce victims into paying ransoms under the threat of exposing stolen data, a strategy known as double extortion. Reports estimate it has impacted at least 31 organizations within a three-month period.
Truesec, in an analysis released earlier this month, detailed Helldown’s attack techniques, which exploit internet-facing Zyxel firewalls for initial access. The attackers then establish persistence, harvest credentials, enumerate networks, evade defenses, and perform lateral movement to deploy the ransomware.
Sekoia’s latest findings reveal that the attackers exploit both documented and undocumented vulnerabilities in Zyxel devices to infiltrate networks, using the access to steal credentials and create temporary SSL VPN users for further penetration.
The Windows variant of Helldown, once executed, performs several actions before encrypting files, such as deleting system shadow copies and terminating processes linked to databases and Microsoft Office. To obfuscate its activity, the ransomware deletes its binary post-attack, drops a ransom note, and shuts down the system.
In contrast, its Linux counterpart lacks obfuscation and anti-debugging features but includes streamlined functions to identify and encrypt files. Before doing so, it lists and shuts down all active virtual machines (VMs).
“The static and dynamic analysis found no evidence of network communication, public keys, or shared secrets,” Sekoia noted. “This is significant as it raises questions about how decryption tools would be provided by the attackers.”
Disabling virtual machines (VMs) prior to encryption grants ransomware the ability to write directly to image files. However, both static and dynamic analysis indicate that while this feature exists in the code, it is not actively utilized. These findings suggest that the ransomware is relatively unsophisticated and potentially still in development.
Artifacts from Helldown’s Windows version exhibit behavioral similarities to DarkRace, a ransomware strain that first surfaced in May 2023 utilizing LockBit 3.0 code and later rebranded as DoNex. In July 2024, Avast released a decryptor for DoNex.
“Both are derivatives of LockBit 3.0,” Sekoia stated. “Considering DarkRace and DoNex’s history of rebranding and their notable overlap with Helldown, it’s plausible that Helldown is another rebrand. However, this cannot be conclusively verified at present.”
Meanwhile, Cisco Talos has reported on a newly identified ransomware family named Interlock, which has targeted healthcare, technology, and government sectors in the U.S., as well as manufacturing organizations in Europe. This strain is capable of encrypting systems running Windows and Linux.
Observed attack chains delivering Interlock involve a fake Google Chrome updater binary hosted on a legitimate but compromised news website. When executed, it deploys a remote access trojan (RAT), enabling attackers to extract sensitive data and execute PowerShell commands to deploy additional payloads for credential theft and reconnaissance.
“In their communications, Interlock claims to exploit unpatched vulnerabilities to compromise infrastructure and justifies their actions as both a response to poor cybersecurity practices and a means of financial gain,” Talos researchers noted.
Talos also suggested that Interlock could be a new operation stemming from Rhysida’s operators or developers, citing similarities in tactics, tools, and ransomware behavior.
“Interlock’s potential connection to Rhysida aligns with broader trends in ransomware operations,” the company explained. “We’re seeing ransomware groups diversify their capabilities, adopt more sophisticated approaches, and increasingly collaborate across group boundaries.”
Accompanying the emergence of Helldown and Interlock is another ransomware actor called SafePay, which claims responsibility for attacks on 22 organizations so far. According to Huntress, SafePay is also built on LockBit 3.0, highlighting the proliferation of variants derived from the leaked LockBit source code.
In two incidents analyzed by Huntress, “the threat actor’s actions originated from a VPN gateway or portal, as all observed IP addresses linked to the threat actor’s workstations were within internal ranges,” their researchers reported.
“The attackers utilized valid credentials to access customer systems without enabling RDP, creating new accounts, or establishing other persistence mechanisms.”
Source: TheHackerNews
