Cybersecurity experts have identified a new variant of the Helldown ransomware targeting Linux systems, signaling a shift toward broader attack strategies. Previously focused on Windows systems, the ransomware now also threatens virtualized infrastructures, including VMware environments.
Helldown, first documented in mid-August 2024, is an aggressive ransomware strain that exploits security vulnerabilities to infiltrate networks. It has targeted sectors such as IT services, telecommunications, manufacturing, and healthcare.
Researchers describe it as a “double extortion” ransomware, leveraging stolen data to pressure victims into paying ransoms under the threat of public exposure. Within just three months, it reportedly impacted 31 companies.
Analysis reveals that Helldown operators gain initial access through vulnerabilities in internet-facing devices, such as Zyxel firewalls. Once inside, they establish persistence, harvest credentials, map the network, evade defenses, and move laterally before deploying ransomware.
For Windows systems, the ransomware executes a series of steps: deleting shadow copies, shutting down processes, encrypting files, dropping a ransom note, and deleting its binary to avoid detection.
The Linux variant, while less sophisticated, exhibits unique characteristics. It focuses on searching for and encrypting files after terminating active virtual machines (VMs) to gain write access to their image files.
However, researchers found that some functionality, including the VM termination code, was not fully operational, suggesting the malware is still under development. Additionally, the Linux version lacks features like obfuscation, anti-debugging, or network communication, raising questions about how victims would obtain decryption tools.
Researchers noted similarities between Helldown and other ransomware strains like DarkRace and DoNex, both of which also originated from the leaked LockBit 3.0 source code. This raises the possibility that Helldown could be a rebranded iteration of earlier variants, though this remains unconfirmed.
The discovery of Helldown coincides with the emergence of other ransomware groups, including Interlock and SafePay. These groups are leveraging unpatched vulnerabilities to launch sophisticated attacks against sectors such as healthcare, technology, and manufacturing.
Interlock, for instance, uses fake software updates to deliver remote access trojans (RATs) that steal data and drop additional payloads, while SafePay appears to have targeted over 20 companies using techniques similar to those of Helldown.
Experts observe that the proliferation of ransomware variants based on LockBit 3.0’s leaked source code reflects a growing trend of cybercriminal groups diversifying their capabilities and collaborating to execute more complex attacks.
Organizations can protect themselves by prioritizing strong cybersecurity measures. These include promptly patching known vulnerabilities in firewalls and virtual infrastructure, monitoring network activity for unusual behavior, and using endpoint detection and response (EDR) solutions to detect early signs of intrusion. Regularly backing up critical data and storing it offline is crucial for mitigating ransomware impact.