Helldown, a newly identified ransomware group, has been actively exploiting vulnerabilities in Zyxel firewalls to breach networks. Since August 2024, the group has attacked over 30 victims, including small to medium-sized businesses and larger organizations, such as Zyxel Europe. Their operations follow a double extortion strategy—stealing sensitive data and threatening to leak it unless ransom demands are met.
Helldown maintains a dedicated data leak site where it publishes stolen data. As of now, it has listed 28 victims, with three entries removed—possibly indicating successful ransom payments. The group’s activity has been primarily observed in August and October 2024, alternating between executing attacks and refining its tools.
A significant vector of attack for Helldown is Zyxel firewalls, particularly those running firmware version v5.38. The group is believed to have exploited the critical CVE-2024-42057 vulnerability, allowing them to gain unauthorized access. Evidence shows that at least eight victims used Zyxel firewalls for IPSec VPN access during the breach. Two of these victims replaced their firewalls post-compromise, based on historical data from Censys.
The group has been creating unauthorized accounts, such as “SUPPOR87” and “VPN,” via SSL VPN, granting them persistent access to victim systems. These accounts were exploited for lateral movement, privilege escalation, and deployment of malicious tools.
Helldown’s attack chain involves deploying ransomware payloads, leveraging tools like Advanced Port Scanner and HRSword to map and exploit victim networks. Once inside, the group exfiltrates large volumes of sensitive data directly from network file shares.
The ransomware payload itself is a Windows executable capable of encrypting files, leaving ransom notes, and ensuring persistence by using Windows APIs. The malware:
* Deletes system shadow copies to prevent recovery.
* Terminates critical processes to avoid interference.
* Encrypts files and modifies filenames and icons to reflect the ransom demand.
* Drops a ransom note and wipes traces of its activity.
* Ultimately shuts down the infected system.
The ransomware also uses an XOR-encrypted XML file for configuration and disables 64-bit redirection. Sekoia researchers note that the malware relies more on exploiting network vulnerabilities than on its own sophistication.
Helldown appears to focus on virtualized environments, specifically VMware infrastructures. It has been linked to the deployment of LockBit 3 ransomware, indicating its capability to escalate its impact within compromised systems.
Zyxel has addressed the exploited vulnerabilities in a recent firmware update, yet organizations are urged to remain vigilant. CISA recommends:
* Updating firewall firmware to the latest versions.
* Disabling unused services like SSL VPN where possible.
* Regularly monitoring for unauthorized accounts.
* Implementing network segmentation and strict access controls.
Helldown’s rise underscores the critical need for proactive security measures. The group’s success lies in exploiting unpatched vulnerabilities, demonstrating the importance of maintaining updated systems and implementing robust cybersecurity defences.
