There’s a new ransomware group in town called Helldown … time to see what they’re up to

ransomware

Helldown has not been in the scene for very long, the early sitings indicate that this group started in August of this year.

Another siting spotted the group in October, but it looks like they’re very small and not very complete with the toolset.

They also have a ransomware blog where they put up victims and to date, research indicates that they have only 28, possibly indicating a payout of three additional victims.

No companies, individuals or amounts of the payouts were given, although the article does say it hits small to medium size businesses; especially in the U.S.

Victim Announcements

Above is an image showing victim announcements. Let’s see what Jaws 2024’s picture smart says about the image. We will block quote what it says.

The image is a line graph charting the number of victims over time, from August to October. It starts with the “First victim” on 05/08 and ends with the “Last victim” on 31/10, totaling 31 victims. There is a steady increase in victims with a noticeable “Quiet period DLS change” in September. The graph

Bleeping computer also has a ransom note apparently from the group from the researchers who have researched this group.

Helldown's ransom note

Let’s see what Jaws picture smart 2024 says about the ransom note pictured above. Again, we’ll use our block quoting technology to show this.

The image is a ransom note addressed to the management of an Active Directory domain. It states that network infrastructure has been compromised, critical data leaked, files encrypted, and backups deleted. The message urges the recipient to contact the sender before any losses occur. It includes instructions to download the Tor browser and visit a specific .onion website, as well as a Tox ID for negotiation. An email address, “,” is provided

The article indicates that they add a random string to the filename like Readme.FGqogsxF.txt instead of the string at the end of the filename like Readme.txt.FGqogsxF instead.

This is relitive new, and they show images of code similarities between which two operating systems?

I’ll give you a hint. They are both popular and both are used by various people, probably one more than the other, but in varying aspects of work.

The answer is Windows and Linux.

Would you like to learn more about what this new group is up to and all we know? Read the article titled icle
Helldown ransomware exploits Zyxel VPN flaw to breach net
if this interests you.

There are other images here including code similarities and other things I did not cover here.

We need to learn about these things, even though we may not know how this is being delivered yet. At least I didn’t see it here in this article.

Thanks so much for reading, make it a great day!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.