Self Assessment

Investigation into Helldown Ransomware

Published On : 2024-11-26
Share :
Investigation into Helldown Ransomware

EXECUTIVE SUMMARY

Helldown Ransomware is a fast-evolving cyber threat targeting critical industries globally. With advanced cross-platform capabilities, including Windows and Linux, it disrupts systems by encrypting files and exploiting vulnerabilities. Its modular design and anti-detection techniques signal active development.

INTRODUCTION

Helldown ransomware was first identified in August 2024 by CYFIRMA. The ransomware encrypts the files, appends random extensions to filenames, and creates a ransom note (“Readme.[random_string].txt”).

Leak site of Ransomware (Source: Underground forum)

# Windows Platform:
File name: Hellenc.exe
File size: 653.50 KB (669184 bytes)
MD5: 5e7f5bb24a7cdaabcf3d2e77ed31fa4e
SHA-256: 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfabf
Compiler-stamp: Fri Aug 02 06:48:50 2024 | UTC
The specimen is a 32-bit GUI-based Windows executable. It drops two files, 1.bat and xx.ico, in the C: ProgramData directory.

Dropped files

The dropped batch script initially pings the localhost and discards its result, which is used to create a small delay in execution, before forcefully terminating the process mentioned in the script:

Dropped batch script

The below process tree shows the initial actions of the Helldown ransomware:

Process tree

The malware checks for an analysis environment, such as the processor feature to detect a virtual machine:

Checking for a virtual processor

It also verifies if it is running under the debugger and calls UnhandledExceptionFilter as an anti-debugging measure to exit the debugger or terminate the process:

Debugger evasion

Helldown ransomware manipulates the Windows registries to alter the Volume Shadow Copy Service (VSS) settings, potentially to delete or alter shadow copies and hinder recovery efforts:

Registry manipulation: Volume Shadow Copy Service (VSS)

Deleting volume shadow copy

It encrypts the system files, including documents and images. It also changes the file extension of the encrypted ones to “.FGqogsxF” and the icon of the file using the icon file it dropped in ProgramData in the earlier stage of execution.

Encrypted files

The Ransomware then deletes the dropped script and itself, and other artifacts, such as created registries, and restarts the compromised system:

Command execution: Deleting artifacts and restart

It drops a ransom note in the form of a text file:

Ransom note

Linux Platform:
File name: e.dat
File size: 237.30 KB (242999 bytes)
MD5: 64cc86931bab241dcc08db03e659bcc5
SHA-256: 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd

This specimen of Helldown ransomware is a 64-bit ELF executable. It loads hardcoded configuration data at the initial stage of execution, which includes tags associated with the malware’s actions:

Hardcoded configuration data

The ransomware executes commands using the shell command-line interpreter, leveraging the touch command to create and modify time stamps. It can evade sandbox detection by utilizing the sleep function from the standard C library.

The ransomware scans the path provided as an argument to the program, targeting files with extensions specified in the XML file’s excluded tags. When the ransomware identifies a file with a specified extension, it encrypts the file and a ransom note is generated on the infected machine using details from the XML file.

Process tree

It is equipped with functionality to kill the VM (virtual instances) before encryption to get write access to the system files, but it is not executed during the execution. We also didn’t notice any network connection attempt to malicious IP/domain.

ADDITIONAL OBSERVATIONS:

Researchers observed that threat actors are actively exploiting vulnerabilities in Zyxel firewalls to gain initial access to targeted systems. These firewalls, commonly used as IPSec VPN access points, were identified in at least eight breaches, with some victims replacing their devices following the incidents.

A critical vulnerability, CVE-2024-42057 with CVSS 8.1, which allows unauthenticated code execution, is believed to be a significant attack vector. During the breaches, attackers created unauthorized accounts, such as “SUPPOR87” and uploaded malicious files like “zzz1.conf,” which contained encoded payloads for exploitation. Reports of similar activity, including compromised devices running older firmware, further corroborate these findings.

INDUSTRIES TARGETED BY HELLDOWN

Helldown ransomware, which emerged just three months ago, has swiftly targeted diverse industries. Real Estate & Construction leads with five victims, followed by IT and Manufacturing with three each. Critical sectors like Healthcare, Energy, and Transportation are also affected, highlighting its broad scope and significant threat across essential services and businesses.

GEOGRAPHIES TARGETED BY HELLDOWN

The Helldown ransomware, active for only three months, has already demonstrated a global impact, affecting victims in 11 countries. The USA has reported the highest number of cases (11), followed by Germany with five. France and Switzerland are also notably impacted, highlighting the ransomware’s extensive reach across Europe. Based on this trend, there is medium confidence that Helldown is likely to continue spreading globally rather than focusing on specific regions.

MITRE FRAMEWORK

MITRE FRAMEWORK
Tactic ID Technique/Sub Technique
Initial Access T1190 Exploit Public Facing Application
Execution T1047 Windows Management Instrumentation
Execution T1129 Shared Modules
Persistence T1543.003 Create or Modify System Process: Windows Service
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1055 Process Injection
Privilege Escalation T1543.003 Create or Modify System Process: Windows Service
Privilege Escalation T1548 Abuse Elevation Control Mechanism
Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defense Evasion T1027.002 Obfuscated Files or Information: Software Packing
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion T1036 Masquerading
Defense Evasion T1055 Process Injection
Defense Evasion T1070.004 Indicator Removal:  File Deletion
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1548 Abuse Elevation Control Mechanism
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Credential Access T1003 OS Credential Dumping
Credential Access T1056 Input Capture
Credential Access T1552.001 Unsecured Credentials: Credentials in Files
Discovery T1007 System Service Discovery
Discovery T1010 Application Window Discovery
Discovery T1016 System Network Configuration Discovery
Discovery T1018 Remote System Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1135 Network Share Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Collection T1005 Data from Local System
Collection T1056 Input Capture
Collection T1114 Email Collection
Collection T1185 Browser Session Hijacking
Command and Control T1071 Application Layer Protocol
Command and Control T1090 Proxy
Command and Control T1105 Ingress Tool Transfer
Impact T1486 Data Encrypted for Impact
Impact T1489 Service Stop

CONCLUSION

Helldown ransomware poses a significant risk to businesses globally due to its advanced encryption techniques, exploitation of known vulnerabilities, and cross-platform targeting. Its focus on critical industries and regions highlights its potential to cause widespread disruption. Proactive measures, such as patching known vulnerabilities and robust backup strategies, are critical to mitigate its impact.

SIGMA RULES

title: Delete shadow copy via WMIC
status: experimental
threatname:
behaviorgroup: 18
classification: 0
mitreattack:
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
– ‘*wmic*shadowcopy delete*’
condition: selection
level: critical
(Source: Surface Web)

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case the need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering; (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defense based on the tactical intelligence provided.