Anthonyy 0 Posted November 9 Posted November 9 Hi everyone, I really need some help! Our server was struck by Helldown ransomware, and all our important data is locked up. I’m urgently looking for a way to decrypt it and get things back to normal. If anyone has experience with this or knows of a reliable solution, I’d be beyond grateful. Thank you so much in advance! Quote
Administrators Marcos 5,468 Posted November 10 Administrators Posted November 10 Please provide: 1, Logs collected with ESET Log Collector 2, A couple of encrypted files (ideally Office documents) 3, The ransowmare note with payment instructions. Most likely it's Win32/Filecoder.ORG which has been detected by ESET since Aug 12. Anthonyy 1 Quote
itman 1,807 Posted November 10 Posted November 10 (edited) Here's an article on Helldown ransomware; https://www.truesec.com/hub/blog/helldown-ransomware-group . Of note; Quote The Truesec CSIRT have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from the LAN IP-address of their internet facing Zyxel firewall. Based on tests conducted of victims externally facing firewalls, the default behaviour should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1.1 when the TA authenticated to any of the internal machines in the victims environment. The forensic team was left unable to investigate the underlying operating system of the compromised firewalls, and as such, were unable to positively confirm weather the threat actor utilized the SSL-VPN service to access the victims environment, or if the firewall device itself had been compromised via an exploit. The evidence points towards the latter of the two options. If you were using Microsoft Defender on the server, assume it was disabled; Quote Two methods of disabling local anti-virus were observed during recent investigations. The first method was by manually disabling real-time protection using powershell. The second method was by employing hrsword.exe to disable endpoint protection software on a given machine [T1562.001]. Command Lines: Command line Description powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -MAPSReporting 0 -SubmitSamplesConsent 0 -UILockdown $true PowerShell command line to disable Windows Defender Real-time Protection Edited November 10 by itman Quote
itman 1,807 Posted November 10 Posted November 10 (edited) Based on this: https://www.ransomlook.io/group/helldown , Helldown ransomware group launched a new wave of attacks on Nov. 6. Makes me wonder if they are deploying a new variant. -EDIT- These attacks actually occurred in Sept. and Oct. and were just made public on Nov. 6. Edited November 11 by itman Quote
itman 1,807 Posted November 10 Posted November 10 In light of the above posting that HellDown ransomware group primary network intrusion method is via Zyxel network perimeter firewall appliances, it so happens that HellDown launched a successful ransomware attack against Zyxel itself with a significant data upload occurring: https://ransomwareattacks.halcyon.ai/attacks/zyxel-networks-hit-by-helldown-ransomware-253gb-data-leaked . If I was using one of these Zyxel devices, I would be taking a "hard look" at them. garioch7 1 Quote
Anthonyy 0 Posted November 12 Author Posted November 12 log collector is not executing due to virus. https://we.tl/t-jvCFet84aa Quote
Administrators Marcos 5,468 Posted November 12 Administrators Posted November 12 I'm afraid that the only option is to restore the system and files from a backup, if exist. Without logs we can't investigate how the attack occurred. It would help substantially if ESET Inspect was installed to monitor suspicious operations in the network prior to the encryption. Quote
QuickSilverST250 7 Posted November 12 Posted November 12 @Anthonyy What version/product of ESET are you using? Quote
Anthonyy 0 Posted November 16 Author Posted November 16 I found a solution guys, if anyone also facing this issue then they can watch out the video given. I contacted them and they helped me to decrypt my files with good success ratio. video link: Quote
itman 1,807 Posted November 16 Posted November 16 (edited) 1 hour ago, Anthonyy said: I found a solution guys, if anyone also facing this issue then they can watch out the video given. I contacted them and they helped me to decrypt my files with good success ratio. I assume you used one of the data recovery services such as this one: https://digitalrecovery.com/en/decrypt-ransomware/helldown/ . BTW - what antivirus solution was installed when you got hit with this ransomware attack? Edited November 16 by itman Quote
itman 1,807 Posted November 16 Posted November 16 (edited) I also came across this posting from Zyxel forum: https://community.zyxel.com/en/discussion/26764/ransomware-helldown which I strongly advise reading if you are using Zyxel firewall appliances. Also related: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-os-command-injection-flaw-in-routers/ . Edited November 18 by itman garioch7 1 Quote
itman 1,807 Posted November 17 Posted November 17 (edited) Helldown Ransomware Group had quite a profitable month in Oct.; Quote The ransomware group Helldown has resurfaced with a new onion address; 15 new victims listed on the data leak site. https://www.linkedin.com/posts/hackmanac_cyberattacks-the-ransomware-group-helldown-activity-7260195411515052034-Ox7K with most of the victims in the U.S.. Edited November 17 by itman Quote
Anthonyy 0 Posted November 18 Author Posted November 18 I used this decryptor and worked 100% for me. here is the link: https://decryptors.org/helldown-ransomware-decryptor/ Quote
itman 1,807 Posted November 18 Posted November 18 (edited) 1 hour ago, Anthonyy said: I used this decryptor and worked 100% for me. here is the link: https://decryptors.org/helldown-ransomware-decryptor/ What did they charge you for the decryptor? Edited November 18 by itman Quote
Anthonyy 0 Posted November 19 Author Posted November 19 (edited) 4500 dollars Edited November 19 by Anthonyy Quote
itman 1,807 Posted November 19 Posted November 19 Your final issue is if the Helldown Group uploaded your server data prior to encrypting it which is pretty much the norm these days. If so, expect the data to be showing up on the Dark Web shortly. Quote
itman 1,807 Posted November 19 Posted November 19 (edited) Helldown Ransomware Group also getting a lot of recent press coverage. Here's one of the recent articles: https://www.infosecurity-magazine.com/news/helldown-ransomware-target-vmware/ . Related: https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/ . Edited November 19 by itman garioch7 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.