Helldown Ransomware: an overview of this emerging threat

Sekoia TDR reports on the Helldown intrusion set, an active ransomware operator responsible for at least 31 victims that exploits Zyxel firewall vulnerabilities to gain initial access, performs large-scale data exfiltration for double extortion, and deploys Windows and Linux ransomware (including ESX-targeting functionality). The analysis includes dynamic and static breakdowns of samples, IoCs (multiple SHA256 hashes and a Zyxel config artifact), observed TTPs (credential pivoting, shadow-copy deletion, process termination), and an assessment of possible ties to Darkrace/Donex rebrands though no definitive attribution is made.