CVE-2024-42057: Exploited by Helldown Ransomware to Target Linux

Helldown ransomware Linux
Helldown ransom note from xml configuration | Image: Sekoia

Sekoia’s Threat Detection & Research (TDR) team uncovers a Linux variant of the Helldown ransomware, expanding the threat landscape.

The Helldown ransomware group, previously known for targeting Windows systems, has expanded its operations to include Linux machines. This new development was uncovered by Sekoia’s Threat Detection & Research (TDR) team, who identified a tweet mentioning a Linux variant of the Helldown ransomware targeting Linux systems.

Helldown, a relatively new entrant in the ransomware landscape, first appeared in August 2024 and has already claimed 31 victims across the U.S. and Europe, including Zyxel’s European subsidiary. The group employs double extortion tactics, exfiltrating sensitive data before encrypting files and threatening to publish the stolen information if a ransom is not paid.

Sekoia has linked several Helldown attacks to vulnerabilities in Zyxel firewalls. A critical flaw, CVE-2024-42057, allows unauthenticated code execution and has been identified as a likely entry point for the group. Notably:

  • Compromised firewalls were found to have malicious user accounts and payloads, such as the zzz1.conf file uploaded from Russian IPs.
  • Exploitation enabled attackers to pivot further into networks, using tools like Advanced Port Scanner and commands to disable defenses

Helldown’s ransomware targets both Windows and Linux systems with unique payloads:

  • Windows Ransomware: Employs shadow copy deletion, process termination, and encryption. A ransom note, ReadMe.[encrypt_extension].txt, is left on compromised systems.
  • Linux Ransomware: Focuses on VMware ESX servers. It kills virtual machines, encrypts files with RSA-encrypted keys, and appends the key to the encrypted files, allowing decryption only with the attacker’s private key

Helldown uses double extortion by exfiltrating vast amounts of data—ranging from 22GB to 431GB per victim. The stolen data typically includes PDFs and scanned documents, likely sourced from network file-sharing drives or NAS systems.

Helldown’s behavior and tools share similarities with Darkrace and Donex, both derived from the leaked LockBit 3 codebase. However, no definitive connection between these groups has been established.

Related Posts: