Related Families: HellCat
Verticals Targeted: Non-Profit Organizations, Manufacturing, Healthcare, Energy, Real Estate, Business Services, Telecommunications, Software, Transportation, Education
Executive Summary
A new HellDown Linux variant was observed targeting VMware ESXi systems. The variant, which was first observed in late October, marks a new evolution in HellDown ransomware.
Key Takeaways
- A new HellDown Linux variant was observed targeting VMware ESXi systems.
- Sekoia researchers noted it is possible the threat actors exploited an undocumented vulnerability affecting Zyxel devices to obtain initial access to the target environment.
- PolySwarm analysts consider HellDown to be both an emerging and an evolving threat.
What is HellDown?
A new variant of HellDown that targets Linux systems was first noted in an X post by user @TuringAlex. Sekoia recently reported on the HellDown Linux variant.
HellDown ransomware was first observed in August 2024 and is associated with a threat actor known as Greppy. The Linux variant of HellDown, which targets VMware ESXi servers, was first observed in late October. Several victims of the HellDown Linux variant reportedly used Zyxel Firewalls as IPSec VPN access points. Sekoia researchers noted that it is possible the threat actors exploited an undocumented vulnerability affecting those devices to obtain initial access to the target environments. The Linux variant of HellDown is an ELF with a size of 237.30 KB. The threat actors did not use obfuscation or anti-debugging mechanisms when writing the code.
HellDown is a highly aggressive ransomware group, amassing dozens of victims in a short amount of time. HellDown uses a double extortion model, stealing victim data and threatening to leak the stolen data if the ransom is not paid. The group tends to exfiltrate large amounts of data, which may indicate they are not selective about the type of data being stolen.
Despite exhibiting a moderate level of sophistication, the group appears to target opportunistically. HellDown has been observed targeting a non-profit organization as well as entities in the manufacturing, healthcare, energy, real estate, business services, telecommunications, software, transportation, and education verticals. Most of the group’s victims have been SMBs located in the US and Europe.
Since the HellDown ransomware family is new to the threat landscape and has already exhibited an attempt to expand its targeting to include both Windows and Linux systems, PolySwarm analysts consider HellDown to be both an emerging and an evolving threat.
IOCs
PolySwarm has multiple samples of HellDown, including a sample of the HellDown Linux variant.
7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7
7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872
6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd (Linux Variant)
You can use the following CLI command to search for all HellDown samples in our portal:
$ polyswarm link list -f HellDown
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.