Helldown Ransomware Analysis

Introduction

Helldown ransomware, first identified in August 2024, is a recent addition to the ransomware landscape, known for its aggressive tactics and sophisticated encryption methods. This malware encrypts a wide range of file types, appending a unique extension to each, and leaves a ransom note instructing victims on payment procedures, typically demanding cryptocurrency. Notably, Helldown has been linked to several high-profile attacks, including breaches at Zyxel Networks, where 253GB of data were leaked, and Hug-Witschi AG, with 67GB of data exfiltrated.
[Halcyon]

Data Leak Site (DLS)

Helldown ransomware operates a Data Leak Site (DLS), a dedicated platform where the operators publish stolen data from organizations that refuse to pay the ransom. This site is used as leverage to pressure victims into complying with payment demands by threatening the exposure of sensitive data, which could damage the victim’s reputation or lead to further legal and financial consequences.
The Helldown DLS serves as a public warning to other targeted organizations, reinforcing that non-compliance with ransom demands can result in significant data exposure. This tactic has proven effective for ransomware groups, as it often pressures companies into negotiations to avoid public fallout and protect sensitive information from being leaked.

As shown here is a screenshot from their DLS with over 20 victims announced.

Analysis

The file was marked with 0 detections and there is a tweet was posted for that, a new variant of Helldown was hosted on this URL `78.46.194[.]43/e.dat`

checking this URL in urlscan.io we got the sample hash `6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd`

Malware Configuration

Ransomware Configuration is saved in XML format, it uses `mxmlLoadString` to copy it to another global variable which will be accessed later upon demand.

the function `exec_cmds` is designed for executing commands embedded in the configuration which it is key is `cmd` , it extracts the key value and pass it to `popen` which is a Linux function used to executed command lines.

there is only one command in the XML configuration marked with the key `cmd` which is `touch a` as shown below.

There are also some interesting elements like the Tox ID, the contact e-mail.

Killing VMs

a function called ‘kill_vms`, which forcefully terminates virtual machines running on a system, specifically targeting VMware environments by utilizing `esxcli`, a command-line interface for VMware ESXi.

1- Memory Allocation and Initialization (v1 and v8)

• `v1` is allocated 0x2800 bytes of memory (10 KB), then zeroed out with `memset`. This will temporarily store the output from the command listing running VM processes.
• `v8`, another buffer, is used to construct commands that will terminate these VMs.

2- Listing VM Processes

The code executes `esxcli vm process list`, a command that lists VMs along with their associated “World IDs” on VMware ESXi. The output of this command is read into `v1`, then closed with `pclose`.

3- Parsing and Killing VMs by World ID

•   – The loop scans the output in `v1` for instances of “World ID: ” using `strstr`.
•     – When a “World ID” is located, it extracts the numerical ID following this label.
•     – Based on the argument `a1`, it determines the type of VM termination:
•         – Soft (case 1): Graceful shutdown.
•         – Hard (case 2): Abrupt shutdown.
•         – Force (case 3): Forceful termination.
•     – It then constructs a kill command using `esxcli vm process kill –type=<type> –world-id=<World ID>` and executes it, terminating the VM associated with that World ID.

And to ensure that all processes are terminated it will call this function 3 times with different argument which was used to determine termination type.

Key Generation

The Ransomware then will initialize encryption key, here is an explanation of this process:

1- Salsa Key Generation (`b_gen_salsa_key(0x10);`)

`b_gen_salsa_key(0x10)` generates a Salsa20 encryption key of 16 bytes (0x10).
Salsa20 is a fast stream cipher, often favored by malware due to its speed and reliability. This key (`t_key`) will likely be used to encrypt file content or other sensitive data.

2- RSA Encryption of the Salsa Key (`b_rsa_enc((__int64)v3, 0x10);`)

The generated Salsa key (`t_key`) is then encrypted using RSA (`b_rsa_enc`). Encrypting the session key with RSA (typically the ransomware’s public key) prevents victims from decrypting files without access to the private key held by the attacker. The encrypted key is stored as `t_rsa_key`.

3- Processing of Files (`b_work(v5);`)

The function `b_work(v5)` is invoked with `v5`, which seems to be a pointer to `argv[1]`
possibly this function is the core function of the ransomware itself.

4- Memory Cleanup (`free(t_key);`)

After `b_work` completes, `t_key` is freed from memory to prevent the encryption key from being recovered from memory dumps.

b_work() function

The `b_work` function is the primary controller, responsible for initializing resources, setting up mutexes and semaphores, and launching multiple threads for the ransomware’s operations. Key steps in this function include:

1- Memory and Mutex Setup :

Allocates memory for variables and sets up mutexes and semaphores`(p_mutex, v21, sem)` for managing concurrent access.

2- Directory Setup and Initialization :

Copies the source `path(src)` into dynamically allocated memory, which is used by the threads to traverse and process files in the specified directory.

3- Thread Creation :

Launches 10 threads using `walk_thread`, each likely tasked with traversing and populating files / directories for encryption.

Following the `walk_thread` threads, it starts additional threads`(cry_thread)` responsible for file encryption, synchronized by semaphores.

4 – Synchronization :

The function waits for each thread to complete using `pthread_join` and posts semaphores to trigger `cry_thread` operations after `walk_thread` completes its directory traversal tasks.

In essence, `b_work` sets up the infrastructure for multi-threaded directory traversal and encryption, allowing the ransomware to encrypt files efficiently.

Walk_Thread() Function :

The walk_thread function handles directory traversal and file discovery, a crucial step for identifying which files will be encrypted.

Directory Traversal :

Opens directories and iterates over each entry using readdir64. For each entry, it checks if it’s a file or directory using `d_type`.

File Filtering :

Calls `b_skip_some_file` to check if a file should be skipped which ensures that only targeted files are encrypted, which was included in the XML configuration.

if we dig inside `b_skip_file` function , it first extracts the file extension by locating the last period`(.)` in the filename and converts it to lowercase.

it the check against a predefined blacklist extensions to see if the extension matches any specified one from the configuration which is identified by `black` key in the xml configuration.
And here is part of the files to be which will not be skipped , others will

<black>.vmdk</black>,
<black>.vswp</black>,
<black>.log</black>,
<black>.vmem</black>,
<black>.vmsn</black>,
<black>.vmx</black>,

File Queuing :

For each eligible file, it creates a full path, obtains the file `size(b_get_file_size)`, and creates a node to store this information.
Pushes each file node into a `queue(b_queue_push_node)`, synchronized with the semaphore to signal `cry_thread` that files are ready for encryption.

cry_thread() Function :

The `cry_thread` function performs the actual file encryption, the explanation as follows:

1- File Dequeuing:

Waits on a semaphore and then dequeues a file node from the queue populated by `walk_thread`.

2- Encryption Process:

Opens the file and determines chunk sizes based on file size to optimize the encryption process.
Generates a Salsa20 key for encryption and encrypts the file contents in chunks using s20_crypt.
Appends an RSA – encrypted version of the Salsa20 key to the end of the file, effectively locking the file without the decryption key.

3- Cleanup:

Closes the file, releases memory, and generates a ransom `(b_gen_readme_file)` after encryption completes.

it extracts the content of readme note from the XML configuration which is identified with key `content`

<content>
'All of your VM disks(*.vmdk) are Encrypted and Critical data
was leaked
How to recover? Download the Qtox chat:https://qtox.github.io and contact us
Qtox ID:19A549A57160F384CF4E36EE1A24747ED99C623C48EA545F343296FB7092795D00875C94151E 
Contant via Mail:helldown@onionmail.org'
</content>

Hellodown Ransomware uses the Salsa20 and RSA encryption combination to ensure secure file encryption, making decryption nearly impossible without the attacker’s RSA private key.

MITRE ATT&CK:

IOCs :