A Linux variant of the Helldown ransomware has been uncovered. Previously known for targeting Windows systems, the Helldown group now extends its reach to VMware ESX servers and Linux environments.
According to a new report by Sekoia’s Threat Detection & Research (TDR) team, Helldown, an intrusion set that surfaced in August 2024, operates with a double-extortion model.
It exfiltrates sensitive data from victims before encrypting systems, threatening to leak the stolen information if ransoms are not paid.
The group has already claimed 31 victims across the United States and Europe, including Zyxel’s European subsidiary. Notably, Zyxel firewalls appear to be a critical entry point in these attacks, with the group exploiting vulnerabilities to breach networks.
Expanding Operations: From Windows to Linux
The newly identified Linux variant suggests Helldown is diversifying its targets. Analysis of the malware shows a focus on VMware ESX servers, with features designed to shut down virtual machines before encrypting files.
While its Windows ransomware demonstrates sophisticated tactics, such as deleting shadow copies and terminating key processes, the Linux version appears less advanced and may still be under development.
The Windows variant uses XML-based configurations to direct encryption tasks and relies on features such as hardcoded keys and administrator privilege checks.
Similarly, the Linux variant follows a straightforward process, encrypting files with an RSA-protected key and generating ransom notes. However, no network communication has been observed, suggesting an offline operation strategy.
Entry Through Zyxel Vulnerabilities
Helldown has frequently exploited vulnerabilities in Zyxel firewalls to gain initial access. In one confirmed case, attackers leveraged VPN credentials obtained via compromised Zyxel devices to move laterally within a network.
Though Zyxel released patches addressing these flaws in September 2024, the lack of publicly available exploit code suggests Helldown relies on undisclosed methods to breach systems.
Connections to Other Ransomware Groups
According to Sekoia, Helldown’s tactics and code share similarities with other ransomware, including Darkrace and Donex, both linked to the LockBit 3.0 lineage.
However, no conclusive connection has been established. The Helldown group’s reliance on large-scale data exfiltration – averaging 70GB per victim – sets it apart from many ransomware operations that favor targeted data theft.
As the group continues to evolve, experts recommend organizations patch vulnerabilities promptly, particularly in network devices like firewalls and VPN gateways.