Home Linux Helldown Ransomware Targets Windows & Linux Servers, Evades Detection

Helldown Ransomware Targets Windows & Linux Servers, Evades Detection

0
Helldown Ransomware Targets Windows & Linux Servers, Evades Detection

Helldown Ransomware, a sophisticated cyber threat, actively targets critical industries. By encrypting files across Windows and Linux platforms and exploiting vulnerabilities, it disrupts operations. 

The modular design of this system, along with its advanced anti-detection capabilities, is indicative of ongoing development and the possibility of additional malicious activity.

It is discovered in August 2024, encrypts files, adds random extensions, and generates ransom notes, disrupting operations and demanding payment.

The 32-bit Windows executable Hellenc.exe, compiled in August 2024, drops two files (1.bat and xx.ico) into the C: ProgramData directory upon execution, indicating potential malicious activity.

Dropped files

Pinging the localhost and then discarding the result causes the batch script to introduce a slight delay, and then it abruptly terminates the process that was specified.

The Helldown ransomware initially verifies the system environment for analysis indicators, specifically checking for processor features indicative of virtual machines, to potentially evade detection and analysis.

It evades debugging by detecting debugger presence and terminating the process, and it also manipulates VSS settings to potentially hinder recovery efforts by deleting or altering shadow copies.

Debugger evasion

By targeting and modifying Windows registry settings, it compromises Volume Shadow Copy Service (VSS), potentially disabling shadow copies and obstructing recovery attempts. 

The ransomware encrypts system files, renames them with the “.FGqogsxF” extension, and replaces their icons to conceal the attack and hinder recovery efforts.

Encrypted files

After deleting itself, the script that was dropped, and other artifacts such as registry entries, it restarts the system that has been compromised and leaves a note demanding its ransom.

The 242,999-byte file e.dat has been identified with the MD5 hash 64cc86931bab241dcc08db03e659bcc5 and the SHA-256 hash 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd.

64-bit ELF Helldown ransomware executable employs hardcoded configuration data to trigger actions like file modifications using shell commands by leveraging sleep functions to bypass sandbox detection.

Hardcoded configuration data

The ransomware identifies target files based on an XML configuration, encrypts them, and generates a ransom note, which has the capability to terminate virtual machines to gain write access, but this feature is currently inactive.

Threat actors are actively exploiting CVE-2024-42057 in Zyxel firewalls, enabling unauthenticated code execution, which leads to unauthorized account creation, malicious file uploads, and potential system compromise, as observed in multiple breaches.

Helldown ransomware, a recent threat, has rapidly compromised various sectors, including Real Estate, IT, Manufacturing, Healthcare, Energy, and Transportation, posing a significant risk to critical infrastructure and businesses.

The newly emerged Helldown ransomware has rapidly spread across 11 countries, with the US and Germany reporting the highest number of cases, suggesting that Helldown is likely to continue its worldwide expansion rather than targeting specific regions.

According to Cyfirma, Helldown ransomware exploits known vulnerabilities and encrypts critical systems across platforms, disrupting operations in vital industries, while proactive patching and robust backups are essential to counter its widespread impact. 

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here