The new 'Helldown' ransomware operation is believed to target vulnerabilities in Zyxel firewalls to breach corporate networks, allowing them to steal data and encrypt devices.
French cybersecurity firm
Sekoia is reporting this with medium confidence based on recent observations of Helldown attacks.
Although not among the major players in the ransomware space, Helldown has quickly grown since its launch over the summer, listing numerous victims on its data extortion portal.
Helldown discovery and overview
Helldown was
first documented by Cyfirma on August 9, 2024, and then again by
Cyberint on October 13, both briefly describing the new ransomware operation.
The first report of a Linux variant of the Helldown ransomware targeting VMware files came from 360NetLab security researcher Alex Turing on October 31.
The Linux variant features code to list and kill VMs to encrypt images, however, its functions are only partially invoked, indicating that it might still be under development.
