According to a report by Sekoia shared with The Hacker News, Helldown deploys ransomware on Windows systems using code derived from LockBit 3.0. Recent activity targeting VMware ESX suggests the group is adapting to attack virtualized infrastructures.
Initially documented by Halcyon in August 2024, Helldown is described as an aggressive ransomware group exploiting security vulnerabilities to breach networks. The group has targeted sectors such as IT services, telecommunications, manufacturing, and healthcare. Its tactics include leveraging data leak sites for double extortion, pressuring victims to pay by threatening to publish stolen data. In just three months, Helldown is estimated to have attacked at least 31 companies.
A recent analysis by Truesec revealed that Helldown exploits internet-facing Zyxel firewalls to gain initial access. After establishing persistence, the group performs credential harvesting, network reconnaissance, defense evasion, and lateral movement to deploy ransomware. Attackers have been observed using vulnerabilities in Zyxel appliances to steal credentials and create SSL VPN tunnels.
On Windows systems, Helldown deletes shadow copies, terminates key processes, exfiltrates and encrypts data, and drops a ransom note before shutting down the machine. The Linux variant, in contrast, lacks obfuscation and advanced anti-debugging mechanisms. It focuses on searching for and encrypting files after terminating active virtual machines, though its code appears incomplete and not yet fully operational.
Interestingly, Helldown shares similarities with other ransomware strains, including DarkRace (later rebranded as DoNex), both of which also used LockBit 3.0 code. While there are indications Helldown could be another rebrand, this connection remains unconfirmed.
The rise of Helldown coincides with the emergence of other ransomware families like Interlock and SafePay. Cisco Talos reports that Interlock has targeted sectors such as healthcare, technology, and government, using sophisticated attack chains involving fake browser updates and remote access trojans.
Meanwhile, SafePay—another variant based on LockBit 3.0—has reportedly attacked 22 companies to date, exploiting VPN gateways and valid credentials to gain access without creating new user accounts or enabling RDP.
These developments highlight a growing trend of ransomware groups adopting shared tools and tactics, diversifying their targets, and expanding their capabilities to include both Windows and Linux systems.
