Learn about evolving ransomware threats and the importance of protecting virtualized infrastructures in key industries like IT, telecom, and healthcare.

Risks:

Malware, Weak or Compromised Credentials, Inadequate Network Segmentation, Other: Double Extortion

Keywords:

Helldown, ransomware, VMware, Linux, LockBit, Zyxel, double extortion, virtual machines

CVE:

N/A

Affected:

VMware, Linux, Windows, Zyxel firewalls, IT services, telecommunications, manufacturing, healthcare

 

New Helldown Ransomware Expands to VMware and Linux Systems

A new variant of the Helldown ransomware is broadening its attack focus to include Linux systems and VMware environments. Originally derived from LockBit 3.0, this ransomware is now targeting virtualized infrastructures, posing a threat to industries such as IT services, telecommunications, manufacturing, and healthcare.

Attack Techniques and Targets

Helldown employs a strategy known as double extortion, where attackers not only encrypt victims' files but also threaten to release stolen data unless a ransom is paid. In a span of just three months, this aggressive ransomware group has reportedly targeted at least 31 companies.

The attack begins with the exploitation of vulnerabilities in Zyxel firewalls, which provide the attackers with initial access to the network. Once inside, they perform several malicious activities, including persistence, credential harvesting, network enumeration, defense evasion, and lateral movement, ultimately leading to the deployment of the ransomware.

Differences Between Windows and Linux Variants

The Windows version of Helldown executes several actions before encryption, such as deleting system shadow copies and terminating processes related to databases and Microsoft Office. It then drops a ransom note, deletes the ransomware binary to cover its tracks, and shuts down the machine.

In contrast, the Linux variant, while lacking in obfuscation and anti-debugging mechanisms, is capable of listing and terminating active virtual machines (VMs) to gain write access to image files before encryption. However, this functionality is present in the code but not actually executed, indicating the ransomware may still be under development.

Ransomware Ecosystem and Emerging Threats

Helldown shares behavioral similarities with another ransomware known as DarkRace, which used LockBit 3.0 code and later rebranded to DoNex. This development is part of a broader trend where ransomware groups are diversifying their capabilities and targeting a wide array of sectors.

Coinciding with Helldown's rise are other new ransomware families like Interlock and SafePay. Interlock has targeted healthcare, technology, and government sectors in the U.S., as well as manufacturing entities in Europe. It uses a fake Google Chrome browser updater binary to deliver a remote access trojan (RAT) that extracts sensitive data and executes PowerShell commands for further exploitation.

SafePay, another new entrant, claims to have targeted 22 companies. It gains access through VPN gateways using valid credentials without creating new user accounts or enabling Remote Desktop Protocol (RDP).

Conclusion

The emergence of these ransomware variants underscores the importance of securing virtualized infrastructures and maintaining robust security practices. Organizations must remain vigilant and ensure their systems are patched and protected against such evolving threats.

 

Read More

https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html