Ethical Hacking News
New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems: A Growing Concern for Cybersecurity
A new ransomware variant, Helldown, has been expanding its attacks to include VMware and Linux systems. This development comes as part of an evolving trend of ransomware groups diversifying their capabilities. The threat landscape continues to evolve at an unprecedented pace, with new ransomware groups emerging and diversifying their capabilities. Stay informed about the latest developments in the field and adapt your strategies accordingly to protect against such threats.
Helldown ransomware variant has expanded its attacks to include VMware and Linux systems. The threat group is using known and unknown security flaws in Zyxel appliances to breach networks. Helldown's attack chains involve internet-facing Zyxel firewalls, persistence, credential harvesting, network enumeration, defense evasion, and lateral movement activities. The Windows version of Helldown deletes system shadow copies, terminates database and Microsoft Office processes, and shuts down the machine after encryption. The Linux counterpart lacks obfuscation and anti-debugging mechanisms, raising questions about decryption tool availability. Helldown exhibits behavioral similarities with LockBit 3.0 variants, including DoNex and Rhysida. A new ransomware family called Interlock has emerged, targeting healthcare, technology, government sectors in the US, and manufacturing entities in Europe. Interlock uses a fake Google Chrome browser updater binary to unleash a remote access trojan (RAT) for data extraction and payload delivery. A new entrant called SafePay has emerged, using LockBit 3.0 as its base and targeting 22 companies so far.
The cybersecurity landscape has been witness to a plethora of evolving threats in recent times. One such threat that has garnered significant attention is the "Helldown" ransomware variant, which has been expanding its attacks to include VMware and Linux systems. This development comes as part of an ever-growing trend of ransomware groups diversifying their capabilities to support more advanced and varied operations.
According to a report shared by Sekoia with The Hacker News, Helldown is a Linux variant of the relatively new ransomware strain that has been deploying Windows ransomware derived from the LockBit 3.0 code. This suggests that the threat actors are broadening their attack focus and leveraging known and unknown security flaws in Zyxel appliances to breach networks.
Truesec's analysis published earlier this month detailed Helldown attack chains that have been observed making use of internet-facing Zyxel firewalls to obtain initial access, followed by carrying out persistence, credential harvesting, network enumeration, defense evasion, and lateral movement activities to ultimately deploy the ransomware. The attackers are abusing known and unknown security flaws in Zyxel appliances to breach networks, using the foothold to steal credentials and create SSL VPN tunnels with temporary users.
The Windows version of Helldown, once launched, performs a series of steps prior to exfiltrating and encrypting files, including deleting system shadow copies and terminating various processes related to databases and Microsoft Office. In the final step, the ransomware binary is deleted to cover up the tracks, a ransom note is dropped, and the machine is shut down.
On the other hand, the Linux counterpart of Helldown lacks obfuscation and anti-debugging mechanisms, while incorporating a concise set of functions to search and encrypt files, but not before listing and killing all active virtual machines (VMs). This raises questions about how the attacker would be able to supply a decryption tool.
Experts have noted that both Helldown and DarkRace exhibit behavioral similarities with other LockBit 3.0 variants, including DoNex and Rhysida. Sekoia's analysis suggests that the possibility of Helldown being another rebrand cannot be dismissed, but this connection cannot be definitively confirmed at this stage.
The development comes as Cisco Talos disclosed another emerging ransomware family known as Interlock that has singled out healthcare, technology, and government sectors in the U.S., and manufacturing entities in Europe. It's capable of encrypting both Windows and Linux machines.
Attack chains distributing the ransomware have been observed using a fake Google Chrome browser updater binary hosted on a legitimate-but-compromised news website that, when run, unleashes a remote access trojan (RAT) that allows the attackers to extract sensitive data and execute PowerShell commands designed to drop payloads for harvesting credentials and conducting reconnaissance.
In their blog, Interlock claims to target organizations' infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies accountable for poor cybersecurity, in addition to monetary gain. Interlock is assessed to be a new group that sprang forth from Rhysida operators or developers, the company added, citing overlaps in tradecraft, tools, and ransomware behavior.
Coinciding with the arrival of Helldown and Interlock is another new entrant to the ransomware ecosystem called SafePay, which claims to have targeted 22 companies to date. SafePay, per Huntress, also uses LockBit 3.0 as its base, indicating that the leak of the LockBit source code has spawned several variants.
The threat landscape continues to evolve at an unprecedented pace, with new ransomware groups emerging and diversifying their capabilities. This highlights the need for constant vigilance and proactive measures to protect against such threats. As cybersecurity leaders, it is essential to stay informed about the latest developments in the field and adapt our strategies accordingly.
Related Information:
https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html
Published: Tue Nov 19 06:35:05 2024 by llama3.2 3B Q4_K_M
