{"id":57750,"date":"2024-11-20T15:38:55","date_gmt":"2024-11-20T15:38:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36617\/Helldown-Ransomware-Evolves-To-Target-VMware-Systems-Via-Linux.html"},"modified":"2024-11-20T15:38:55","modified_gmt":"2024-11-20T15:38:55","slug":"helldown-ransomware-evolves-to-target-vmware-systems-via-linux","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/helldown-ransomware-evolves-to-target-vmware-systems-via-linux\/","title":{"rendered":"Helldown Ransomware Evolves To Target VMware Systems Via Linux"},"content":{"rendered":"
<\/div>\n

A Linux variant of the Helldown ransomware has been discovered targeting Linux systems and potentially evolving to target virtualized VMware systems<\/a>.<\/p>\n

In a Nov. 19 blog post<\/a>, Sekoia\u2019s Threat Detection and Research Team reported that while Helldown\u2019s exact methods are unclear, both Cyfirma<\/a> and Cyberint<\/a> have found that the group exploits recently disclosed and likely not yet patched vulnerabilities to infiltrate a victim\u2019s network and then deploy ransomware.<\/p>\n

Among the targeted flaws was CVE-2024-42057, a code execution flaw that had not previously been targeted in the wild but was now being used for malware attacks.<\/p>\n

The Sekoia researchers said the threat actor uses a double extortion strategy. First exfiltrating large volumes of data and threatening to publish it on its [.onion] site if the ransom does not get paid. The group has been very active in claiming 31 victims within three months, including Zyxel\u2019s European subsidiary.<\/p>\n

While ransomware targeting Linux isn\u2019t unprecedented, Helldown\u2019s focus on VMware systems shows its operators are evolving to disrupt the virtualized infrastructures many businesses rely on, said Patrick Tiquet, vice president, security and architecture at Keeper Security.<\/p>\n

Derived from LockBit 3.0, Tiquet said Helldown leverages familiar techniques such as exploiting vulnerabilities in Zyxel firewalls for initial access. Once inside, it operates methodically; harvesting credentials, mapping networks and evading detection before launching its encryption payload.<\/p>\n

\u201cOn Windows, it\u2019s precise and aggressive, wiping recovery options and terminating critical processes,\u201d said Tiquet. \u201cOn Linux, its simplicity is its strength \u2013 shutting down virtual machines to maximize the impact of its encryption.\u201d<\/p>\n

Helldown is a prime example of how cybercriminals are piecing together all of the elements of modern malware to create a formidable threat, added Jason Soroko, senior fellow at Sectigo. Soroko said all of the elements of this malware variant have been seen before, but we are increasingly seeing malware that\u2019s strengthening on all fronts. <\/p>\n

\u201cFrom fileless execution to strong custom encryption, this malware variant teaches us that we can\u2019t rely on our adversaries to make mistakes that give us an easy way to mitigate their attacks,\u201d said Soroko. \u201cSecurity architects who are building defensive systems against attacks such as this should assume that adversaries are bringing a sophisticated set of tools with few weak spots.\u201d<\/p>\n

Attacking and shutting down VMware systems lets the threat actors encrypt them for ransom, because systems that are in use cannot be acted on by processes other than VMware, explained Mayuresh Dani, manager, security research at Qualys Threat Research Unit.<\/p>\n

Dani said security teams can do the following:<\/p>\n

\n