Helldown ransomware exploits Zyxel VPN flaw to breach networks
The new 'Helldown' ransomware operation is believed to target vulnerabilities in Zyxel firewalls to breach corporate networks, allowing them to steal data and encrypt devices.
Although not among the major players in the ransomware space, Helldown has quickly grown since its launch over the summer, listing numerous victims on its data extortion portal.
Helldown was first documented by Cyfirma on August 9, 2024, and then again by Cyberint on October 13, both briefly describing the new ransomware operation.
The first report of a Linux variant of the Helldown ransomware targeting VMware files came from 360NetLab security researcher Alex Turing on October 31.
The Linux variant features code to list and kill VMs to encrypt images, however, its functions are only partially invoked, indicating that it might still be under development.
Sekoia reports that Helldown for Windows is based on the leaked LockBit 3 builder and features operational similarities to Darkrace and Donex. However, no definitive connection could be made based on the available evidence.
