When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

"Helldown" ransomware attacks expand to Linux and VMware

A laptop with a padlock on the screen

The "Helldown" ransomware, which started small earlier this year, is now targeting VMware systems and Linux environments, a move that's raising serious concerns among cybersecurity experts. This evolution highlights how attackers are finding new ways to exploit vulnerabilities across platforms.

Helldown first grabbed attention in mid-2024, targeting Windows systems. It borrows its foundation from LockBit 3.0, a notorious ransomware family, and shows behavioral overlaps with other rebrands like Darkrace and Donex. Its latest Linux variant takes things further by targeting VMware virtual machines (VMs), aiming to kill active VMs before encryption. Interestingly, though, researchers found this feature isn't fully functional yet, indicating it's still in development.

On the Windows side, Helldown’s tactics are less refined than other advanced ransomware strains. For example, it uses batch files to terminate processes instead of more sophisticated, embedded methods. Even so, its focus on crippling VMs and encrypting data shows the attackers are planning something big. A key feature of the Helldown ransomware's attack chain is its use of vulnerabilities in Zyxel’s VPN devices. Specifically, it exploits the CVE-2024-42057 vulnerability, a command injection flaw in the IPSec VPN, which allows attackers to execute OS commands with a crafted username.

The attackers exploit unpatched vulnerabilities to breach networks. Once inside, they use simple yet effective tools to escalate privileges, disable security, and exfiltrate data. The Linux variant raises eyebrows because, unlike its Windows counterpart, it lacks common evasion tricks like obfuscation. This simplicity suggests it’s a work-in-progress but still dangerous. Targeting VMs lets ransomware operators maximize the damage. By taking out VMs, they can disrupt critical operations in IT and other industries.

This year has been a wild ride for ransomware attacks—bigger and a whole lot smarter. One of the big scares was the "ESXiArgs" ransomware, which hammered VMware vSphere servers globally. It wasn’t even a fresh zero-day vulnerability; attackers just took advantage of systems that hadn’t been patched for years. Props to CISA, though, for stepping in with their recovery script, which helped some victims bounce back without forking over a ransom.

On top of that, Microsoft’s security report painted an even scarier picture: cybercriminals and even state-backed actors are stepping up their game with AI-powered attacks. Groups like North Korea’s FakePenny aren’t just after cash—they’re doing double duty by stealing sensitive data while they’re at it.

Source: The Hacker News

Report a problem with article
google gemini
Next Article

Gemini's new memory feature enables more personalized AI experiences

flight simulator 2024
Previous Article

Microsoft Flight Simulator 2024 is now available on Xbox Series X|S and PC

Join the conversation!

Login or Sign Up to read and post a comment.

1 Comment - Add comment