Jump to content

Recommended Posts

Posted

Hi everyone, I really need some help! Our server was struck by Helldown ransomware, and all our important data is locked up. I’m urgently looking for a way to decrypt it and get things back to normal. If anyone has experience with this or knows of a reliable solution, I’d be beyond grateful. Thank you so much in advance!

  • Administrators
Posted

Please provide:
1, Logs collected with ESET Log Collector
2, A couple of encrypted files (ideally Office documents)
3, The ransowmare note with payment instructions.

Most likely it's Win32/Filecoder.ORG which has been detected by ESET since Aug 12.

Posted (edited)

Here's an article on Helldown ransomware; https://www.truesec.com/hub/blog/helldown-ransomware-group .

Of note;

Quote

The Truesec CSIRT have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from the LAN IP-address of their internet facing Zyxel firewall.

Based on tests conducted of victims externally facing firewalls, the default behaviour should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1.1 when the TA authenticated to any of the internal machines in the victims environment. The forensic team was left unable to investigate the underlying operating system of the compromised firewalls, and as such, were unable to positively confirm weather the threat actor utilized the SSL-VPN service to access the victims environment, or if the firewall device itself had been compromised via an exploit. The evidence points towards the latter of the two options.

If you were using Microsoft Defender on the server, assume it was disabled;

Quote

Two methods of disabling local anti-virus were observed during recent investigations. The first method was by manually disabling real-time protection using powershell. The second method was by employing hrsword.exe to disable endpoint protection software on a given machine [T1562.001].

Command Lines:

Command line Description
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -MAPSReporting 0 -SubmitSamplesConsent 0 -UILockdown $true   PowerShell command line to disable Windows Defender Real-time Protection

 

Edited by itman
Posted (edited)

Based on this: https://www.ransomlook.io/group/helldown , Helldown ransomware group launched a new wave of attacks on Nov. 6. Makes me wonder if they are deploying a new variant.

-EDIT- These attacks actually occurred in Sept. and Oct. and were just made public on Nov. 6.

Edited by itman
Posted

In light of the above posting that HellDown ransomware group primary network intrusion method is via Zyxel network perimeter firewall appliances, it so happens that HellDown launched a successful ransomware attack against Zyxel itself with a significant data upload occurring: https://ransomwareattacks.halcyon.ai/attacks/zyxel-networks-hit-by-helldown-ransomware-253gb-data-leaked .

If I was using one of these Zyxel devices, I would be taking a "hard look" at them.

  • Administrators
Posted

I'm afraid that the only option is to restore the system and files from a backup, if exist. Without logs we can't investigate how the attack occurred. It would help substantially if ESET Inspect was installed to monitor suspicious operations in the network prior to the encryption.

Posted

I found a solution guys, if anyone also facing this issue then they can watch out the video given. I contacted them and they helped me to decrypt my files with good success ratio.

video link: 

 

Posted (edited)
1 hour ago, Anthonyy said:

I found a solution guys, if anyone also facing this issue then they can watch out the video given. I contacted them and they helped me to decrypt my files with good success ratio.

I assume you used one of the data recovery services such as this one: https://digitalrecovery.com/en/decrypt-ransomware/helldown/ .

BTW - what antivirus solution was installed when you got hit with this ransomware attack?

Edited by itman
Posted (edited)

I also came across this posting from Zyxel forum: https://community.zyxel.com/en/discussion/26764/ransomware-helldown which I strongly advise reading if you are using Zyxel firewall appliances.

Also related: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-os-command-injection-flaw-in-routers/ .

Edited by itman
Posted (edited)

Helldown Ransomware Group had quite a profitable month in Oct.;

Quote

The ransomware group Helldown has resurfaced with a new onion address; 15 new victims listed on the data leak site.

https://www.linkedin.com/posts/hackmanac_cyberattacks-the-ransomware-group-helldown-activity-7260195411515052034-Ox7K

with most of the victims in the U.S..

Edited by itman
Posted

Your final issue is if the Helldown Group uploaded your server data prior to encrypting it which is pretty much the norm these days. If so, expect the data to be showing up on the Dark Web shortly.

Posted (edited)

Helldown Ransomware Group also getting a lot of recent press coverage. Here's one of the recent articles: https://www.infosecurity-magazine.com/news/helldown-ransomware-target-vmware/ .

Related: https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/ .

Edited by itman

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...