A Linux variant of the Helldown ransomware has been discovered targeting Linux systems and potentially evolving to target virtualized VMware systems.
In a Nov. 19 blog post, Sekoia’s Threat Detection and Research Team reported that while Helldown’s exact methods are unclear, both Cyfirma and Cyberint have found that the group exploits recently disclosed and likely not yet patched vulnerabilities to infiltrate a victim’s network and then deploy ransomware.
Among the targeted flaws was CVE-2024-42057, a code execution flaw that had not previously been targeted in the wild but was now being used for malware attacks.
The Sekoia researchers said the threat actor uses a double extortion strategy. First exfiltrating large volumes of data and threatening to publish it on its [.onion] site if the ransom does not get paid. The group has been very active in claiming 31 victims within three months, including Zyxel’s European subsidiary.
While ransomware targeting Linux isn’t unprecedented, Helldown’s focus on VMware systems shows its operators are evolving to disrupt the virtualized infrastructures many businesses rely on, said Patrick Tiquet, vice president, security and architecture at Keeper Security.
Derived from LockBit 3.0, Tiquet said Helldown leverages familiar techniques such as exploiting vulnerabilities in Zyxel firewalls for initial access. Once inside, it operates methodically; harvesting credentials, mapping networks and evading detection before launching its encryption payload.
“On Windows, it’s precise and aggressive, wiping recovery options and terminating critical processes,” said Tiquet. “On Linux, its simplicity is its strength – shutting down virtual machines to maximize the impact of its encryption.”
Helldown is a prime example of how cybercriminals are piecing together all of the elements of modern malware to create a formidable threat, added Jason Soroko, senior fellow at Sectigo. Soroko said all of the elements of this malware variant have been seen before, but we are increasingly seeing malware that’s strengthening on all fronts.
“From fileless execution to strong custom encryption, this malware variant teaches us that we can’t rely on our adversaries to make mistakes that give us an easy way to mitigate their attacks,” said Soroko. “Security architects who are building defensive systems against attacks such as this should assume that adversaries are bringing a sophisticated set of tools with few weak spots.”
Attacking and shutting down VMware systems lets the threat actors encrypt them for ransom, because systems that are in use cannot be acted on by processes other than VMware, explained Mayuresh Dani, manager, security research at Qualys Threat Research Unit.
Dani said security teams can do the following:
- Observe unplanned/random service stops for VMware processes and make sure that the systems are not affected by the ransomware.
- Ensure machine snapshots are routinely created and separately stored to be restored if the need arises.
