Helldown ransomware, in plain English.

If you run a small business, here is the uncomfortable version: the ransomware groups operating today are not picking targets by size. They are picking them by what's exposed and unpatched. Helldown is a textbook example — and the way it gets in is something most small companies have sitting on their network right now.

This is a plain-English brief on what Helldown is, how it works, and the handful of things worth doing this week. No jargon walls.

What Helldown actually is

Helldown is a ransomware group that first surfaced in the summer of 2024. In its first three months it listed more than 30 victims on its dark-web leak site — heavily weighted toward IT services, telecommunications, and manufacturing companies, many of them small and mid-sized. Its Windows malware is built from the leaked LockBit 3 toolkit, and a newer version targets Linux and VMware servers.

It runs a double-extortion playbook: before encrypting your files, the attackers quietly copy large amounts of your data out. Then they encrypt everything and demand payment twice over — once to unlock your files, and again to stop them publishing the stolen data. Paying for a decryption key does nothing to un-leak what they already took. (Background reporting: Sekoia and BleepingComputer.)

How it gets in — this is the part that matters

Helldown's notable trick is the front door it uses: the firewall. Several confirmed victims were breached through Zyxel firewalls being used as VPN access points, via a vulnerability tracked as CVE-2024-42057. Zyxel patched it in firmware version 5.39 in September 2024 — but a patch only helps the businesses that actually install it.

Once inside, the pattern is depressingly consistent across ransomware crews:

• Log in through the VPN using a malicious or stolen account.
• Reach the domain controller — the keys to the whole network.
• Move sideways to other machines and servers.
• Turn off the security tools, delete backups and Windows shadow copies, then encrypt.

The lesson isn't "Zyxel bad." It's that an unpatched, internet-facing network device with VPN access is the single most valuable thing an attacker can find — whatever brand it is.

Why small businesses are the soft target

Enterprises have teams who patch firewalls on a schedule and watch for a domain controller being touched at 3am. Most small businesses have neither. The firewall got installed once, by someone who may no longer work there, and nobody has logged into it since. That gap — not a lack of expensive tools — is what groups like Helldown monetize.

Five things to do this week

None of these require a big budget. In rough priority order:

1. Patch your firewall and VPN appliances. Check the firmware version on every internet-facing device and update it. If you use Zyxel, you want 5.39 or later. If you don't know who manages it, that's the first problem to fix.
2. Turn on multi-factor authentication for VPN access — and delete VPN accounts for anyone who has left or never needed one. A stolen password should not be enough to walk in.
3. Make your backups ransomware-proof. Backups that an attacker can reach and delete are not backups. You want immutable, off-network copies you've actually tested restoring from. (We wrote up what "immutable" really means as part of our backup & disaster recovery work.)
4. Watch for the warning signs. Shadow copies being deleted, security tools being switched off, and odd late-night logins to a domain controller are the moments before encryption — the window where a response can still save you.
5. Have someone watching 24/7. Ransomware is detonated on nights and weekends precisely because nobody's looking. A managed detection-and-response service exists to catch the lateral movement before the encryption — which is exactly the job our SOC does.

The honest takeaway

Helldown isn't special. It's competent, fast, and opportunistic — and it works because the basics go undone. An attacker who finds an unpatched firewall, no MFA, and deletable backups will get a payday from a 40-person company just as happily as from a 4,000-person one.

The flip side is the good news: the same basics that stop Helldown stop most of what's out there. Patch the edge, lock down remote access, keep backups it can't touch, and have someone — human or AI — watching for the move before the ransom note.