Anthonyy 0 Posted November 9, 2024 Posted November 9, 2024 Hi everyone, I really need some help! Our server was struck by Helldown ransomware, and all our important data is locked up. I’m urgently looking for a way to decrypt it and get things back to normal. If anyone has experience with this or knows of a reliable solution, I’d be beyond grateful. Thank you so much in advance!
Administrators Marcos 5,727 Posted November 10, 2024 Administrators Posted November 10, 2024 Please provide: 1, Logs collected with ESET Log Collector 2, A couple of encrypted files (ideally Office documents) 3, The ransowmare note with payment instructions. Most likely it's Win32/Filecoder.ORG which has been detected by ESET since Aug 12. Anthonyy 1
itman 1,921 Posted November 10, 2024 Posted November 10, 2024 (edited) Here's an article on Helldown ransomware; https://www.truesec.com/hub/blog/helldown-ransomware-group . Of note; Quote The Truesec CSIRT have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from the LAN IP-address of their internet facing Zyxel firewall. Based on tests conducted of victims externally facing firewalls, the default behaviour should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1.1 when the TA authenticated to any of the internal machines in the victims environment. The forensic team was left unable to investigate the underlying operating system of the compromised firewalls, and as such, were unable to positively confirm weather the threat actor utilized the SSL-VPN service to access the victims environment, or if the firewall device itself had been compromised via an exploit. The evidence points towards the latter of the two options. If you were using Microsoft Defender on the server, assume it was disabled; Quote Two methods of disabling local anti-virus were observed during recent investigations. The first method was by manually disabling real-time protection using powershell. The second method was by employing hrsword.exe to disable endpoint protection software on a given machine [T1562.001]. Command Lines: Command line Description powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -MAPSReporting 0 -SubmitSamplesConsent 0 -UILockdown $true PowerShell command line to disable Windows Defender Real-time Protection Edited November 10, 2024 by itman
itman 1,921 Posted November 10, 2024 Posted November 10, 2024 (edited) Based on this: https://www.ransomlook.io/group/helldown , Helldown ransomware group launched a new wave of attacks on Nov. 6. Makes me wonder if they are deploying a new variant. -EDIT- These attacks actually occurred in Sept. and Oct. and were just made public on Nov. 6. Edited November 11, 2024 by itman
itman 1,921 Posted November 10, 2024 Posted November 10, 2024 In light of the above posting that HellDown ransomware group primary network intrusion method is via Zyxel network perimeter firewall appliances, it so happens that HellDown launched a successful ransomware attack against Zyxel itself with a significant data upload occurring: https://ransomwareattacks.halcyon.ai/attacks/zyxel-networks-hit-by-helldown-ransomware-253gb-data-leaked . If I was using one of these Zyxel devices, I would be taking a "hard look" at them. garioch7 1
Anthonyy 0 Posted November 12, 2024 Author Posted November 12, 2024 log collector is not executing due to virus. https://we.tl/t-jvCFet84aa
Administrators Marcos 5,727 Posted November 12, 2024 Administrators Posted November 12, 2024 I'm afraid that the only option is to restore the system and files from a backup, if exist. Without logs we can't investigate how the attack occurred. It would help substantially if ESET Inspect was installed to monitor suspicious operations in the network prior to the encryption.
QuickSilverST250 8 Posted November 12, 2024 Posted November 12, 2024 @Anthonyy What version/product of ESET are you using?
Solution Anthonyy 0 Posted November 16, 2024 Author Solution Posted November 16, 2024 I found a solution guys, if anyone also facing this issue then they can watch out the video given. I contacted them and they helped me to decrypt my files with good success ratio. video link:
itman 1,921 Posted November 16, 2024 Posted November 16, 2024 (edited) 1 hour ago, Anthonyy said: I found a solution guys, if anyone also facing this issue then they can watch out the video given. I contacted them and they helped me to decrypt my files with good success ratio. I assume you used one of the data recovery services such as this one: https://digitalrecovery.com/en/decrypt-ransomware/helldown/ . BTW - what antivirus solution was installed when you got hit with this ransomware attack? Edited November 16, 2024 by itman
itman 1,921 Posted November 16, 2024 Posted November 16, 2024 (edited) I also came across this posting from Zyxel forum: https://community.zyxel.com/en/discussion/26764/ransomware-helldown which I strongly advise reading if you are using Zyxel firewall appliances. Also related: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-os-command-injection-flaw-in-routers/ . Edited November 18, 2024 by itman garioch7 1
itman 1,921 Posted November 17, 2024 Posted November 17, 2024 (edited) Helldown Ransomware Group had quite a profitable month in Oct.; Quote The ransomware group Helldown has resurfaced with a new onion address; 15 new victims listed on the data leak site. https://www.linkedin.com/posts/hackmanac_cyberattacks-the-ransomware-group-helldown-activity-7260195411515052034-Ox7K with most of the victims in the U.S.. Edited November 17, 2024 by itman
Anthonyy 0 Posted November 18, 2024 Author Posted November 18, 2024 I used this decryptor and worked 100% for me. here is the link: https://decryptors.org/helldown-ransomware-decryptor/
itman 1,921 Posted November 18, 2024 Posted November 18, 2024 (edited) 1 hour ago, Anthonyy said: I used this decryptor and worked 100% for me. here is the link: https://decryptors.org/helldown-ransomware-decryptor/ What did they charge you for the decryptor? Edited November 18, 2024 by itman
Anthonyy 0 Posted November 19, 2024 Author Posted November 19, 2024 (edited) 4500 dollars Edited November 19, 2024 by Anthonyy
itman 1,921 Posted November 19, 2024 Posted November 19, 2024 Your final issue is if the Helldown Group uploaded your server data prior to encrypting it which is pretty much the norm these days. If so, expect the data to be showing up on the Dark Web shortly.
itman 1,921 Posted November 19, 2024 Posted November 19, 2024 (edited) Helldown Ransomware Group also getting a lot of recent press coverage. Here's one of the recent articles: https://www.infosecurity-magazine.com/news/helldown-ransomware-target-vmware/ . Related: https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/ . Edited November 19, 2024 by itman garioch7 1
Recommended Posts