Threat Bulletin

Blackwell Helix Threat Bulletin: Helldown Ransomware Targets VMware Processes on Linux

By: Bryan Zatezalo, Seth Feldman
December 11, 2024
BWS-Threat-Bulletin-Image

Key Alert:

Helldown ransomware, a rising threat in 2024, has been observed exploiting a vulnerability in Zyxel firewalls to gain network access and disable VMware processes, allowing encryption of Linux systems. This threat poses critical risks to healthcare organizations reliant on virtualized infrastructures.

Threat Overview:

Helldown has emerged as a notable ransomware group. It focuses its attacks on Linux environments, particularly VMware ESX servers. By shutting down critical VMware processes, the ransomware enables the encryption of virtualized systems. The group leverages vulnerabilities in widely used network appliances as its primary entry vector, making unpatched systems especially vulnerable.

Key aspects of Helldown include:

  • Volume of Data Stolen: An average of 70GB per attack, with individual incidents ranging from 22GB to 431GB.
  • Indiscriminate Targeting: Unlike more selective groups, Helldown targets entire network shares and NAS systems, prioritizing disruption over precision.
  • Evolving Capabilities: While still developing its Linux attack vectors, the group has shown consistent improvements in exploiting vulnerabilities and deploying effective ransomware variants.

Healthcare Impacts:

Healthcare organizations are particularly vulnerable to Helldown ransomware due to their reliance on virtualized systems and the critical nature of the data involved. Specific impacts include:

  • Operational Disruption: Shutting down VMware processes compromises access to electronic health records (EHR) and other critical applications, delaying patient care.
  • Data Breaches: Double extortion tactics mean stolen data, including sensitive patient information, could be publicly leaked if ransom demands are unmet.
  • Regulatory and Compliance Risks: Exposure of protected health information (PHI) risks violations of HIPAA and other regulatory frameworks.

Exploitation Method:

Helldown uses CVE-2024-42057, a command injection vulnerability in the IPSec VPN feature of certain Zyxel firewalls. This vulnerability allows unauthenticated attackers to execute arbitrary commands by sending a specially crafted username.

Affected Zyxel Products and Firmware Versions:

  • ATP Series: Firmware V4.32–V5.38
  • USG FLEX Series: Firmware V4.50–V5.38
  • USG FLEX 50(W) Series: Firmware V4.16–V5.38
  • USG20(W)-VPN Series: Firmware V4.16–V5.38

Note: Devices operating in Nebula cloud management mode are not affected, as stated by Zyxel here.

Indicators of Compromise (IoCs):

These IOCs, in the format of SHA256 hashes, provide crucial artifacts for detecting potential breaches and understanding the tools and techniques employed by the threat group.

Helldown Windows Payloads:

  • 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfab
  • 7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7
  • 7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872
  • 3e3fad9888856ce195c9c239ad014074f687ba288c78ef26660be93ddd97289e

Helldown Windows Icons, Ransom Notes, and Scripts:

  • 2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e1
  • 47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19
  • cb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea
  • 67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733
  • 2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0 (Overlaps with Darkrace and Donex malware families according to Sekoia)

Helldown Linux Payload:

  • 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd

Helldown Linux Ransom Note:

  • 9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c

Zyxel Compromise Artifact (zzz1.conf):

  • ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe

Tactics, Techniques, and Procedures (TTPs):

TacticsTechniques
Resource DevelopmentT1650 – Acquire Access
Initial AccessT0819 – Exploit Public-Facing Application
DiscoveryT1087.001 – Local Account
ImpactT1471 – Data Encrypted for Impact
Initial AccessT0866 – Exploitation of Remote Services

Recommendations for Healthcare Organizations:

Blackwell Security MHXDR Customers:

Blackwell actively conducts threat hunting within the logs and telemetry we collect for our clients. We have already begun hunting for IoCs and TTPs derived from our Helix threat operations team. If you are an MHXDR subscriber, please refer to your signal lifecycles for any suspected issues or alarms that require your attention.

Immediate Actions:

  1. Patch Zyxel Devices: Update all affected firmware versions immediately to mitigate vulnerabilities.
  2. Review Logs: Monitor for IoCs and suspicious activity indicative of Helldown presence.
  3. Backup Systems: Maintain secure, offline backups of critical data and configurations.

Long-Term Defense:

  • Network Segmentation: Isolate critical infrastructure to minimize lateral movement.
  • Enhanced Monitoring: Deploy advanced threat detection focused on VMware and Linux environments.
  • Access Controls: Strengthen identity and access management by enforcing multi-factor authentication and minimizing admin privileges.

Leadership Guidance:

  • Conduct risk assessments to identify and remediate vulnerabilities in virtualized and networked environments.
  • Invest in staff training to reduce the likelihood of successful social engineering attempts.
  • Partner with Blackwell Security and leverage Pulse and Helix products for managed detection and response services tailored to healthcare organizations’ unique challenges.

References:

Blackwell Helix continues to monitor Helldown activity and provides healthcare organizations with tailored solutions to mitigate ransomware risks. For more information, contact Blackwell Security’s threat operations team.

Tags
Blackwell Helix Ransomware
About the Author
Bryan Zatezalo Profile Picture
Bryan Zatezalo
Cyber Threat Intelligence Analyst
Bryan Zatezalo is a Cyber Threat Intelligence Analyst for Blackwell Security and previously served in the United States Army as an Intelligence Analyst, where he specialized in intelligence operations. Driven by a deep passion for threat intelligence, he is committed to uncovering critical information and providing organizations with the tools and knowledge needed to strengthen their defenses. His experience has instilled a strong appreciation for the value of well-executed threat intelligence in mitigating risks and enabling proactive decision-making.
More from this author
About the Author
Seth Profile Picture
Seth Feldman
Principal, Threat & Security Response
Seth Feldman is a cybersecurity expert and a key leader at Blackwell Security. With extensive experience in incident response, intrusion detection, and penetration testing, Seth specializes in safeguarding organizations against evolving threats. At Blackwell Security, Seth is pivotal in designing and implementing tailored cybersecurity solutions, ensuring clients stay ahead of sophisticated attacks. Known for his strategic thinking and clear communication, Seth is committed to enhancing cybersecurity practices across industries and empowering organizations to navigate complex security challenges confidently.
More from this author
Back to Resources
Related Resources
View all
BWS-Threat-Bulletin-Image
Threat Bulletin
Blackwell Helix Threat Bulletin: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (CVE-2024-35250)
December 17, 2024
December 17, 2024
Read More
BWS-Threat-Bulletin-Image
Threat Bulletin
Blackwell Helix Threat Bulletin: Ivanti CSA Authentication Bypass Vulnerability (CVE-2024-11639)
December 16, 2024
December 16, 2024
Read More
Regulatory Advisory Graphic.
Blog
Annual HIPAA Security Risk Assessment: Key Requirements and Deadlines
December 15, 2024
December 15, 2024
Read More
Blackewll logo
Blackwell is cybersecurity made for healthcare.

Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.

© 2024 Blackwell Security | Privacy Policy | Sitemap