Ransomware Helldown

From your link:

***************************************************************

Initial Access

The Truesec CSIRT have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from the LAN IP-address of their internet facing Zyxel firewall.

Based on tests conducted of victims externally facing firewalls, the default behaviour should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1.1 when the TA authenticated to any of the internal machines in the victims environment. The forensic team was left unable to investigate the underlying operating system of the compromised firewalls, and as such, were unable to positively confirm weather the threat actor utilized the SSL-VPN service to access the victims environment, or if the firewall device itself had been compromised via an exploit. The evidence points towards the latter of the two options.

The same investigation also showed that a user account was created on the externally facing firewall as part of the compromise. It was not confirmed if the user was created during a possible exploitation of the operating system, or post breach


***************************************************************

I faced the issue on two devices with 5.38 firmware: a USG-FLEX 50 and USG-FLEX 200.To fix, I did this:

1. put device offline
2. delete all saved configurations (I didn't trust them anymore)
3. load a configuration from a file I had saved offline
4. upgrade firmware
5. change every password (admins - users - vpn keys)
6. put device online

Then I restricted https/ssh access to fixed ip and set 2FA for VPN users.The natted source seems interesting. I confirm that connections came from USG LAN IP.

I remember that I found a SUPPOR87 between logged users, but I didn't found it in user list.

I found SSL VPN policies (I use only Ipsec ones) and great scrambling in policy control page.

At that time, there was no more activity. Attack to LAN was over from many hours, and it's duration had been about an hour.

The attack was unsuccessful, since no access to active directory was successful. The only outcome was many users locked out for failed logons.

The attempt was limited to users that had an account also on firewall. The attacker, with control over firewall, took the list of user names and attempted those names against active directory. Don't know if with brute force or with credentials stealed from firewall, but users had other passwords on AD.

About natted source: I use only IPsec vpns, and there connection is routed (client appears to come from its IP). I suspected that SSL vpns worked the other way, but in that document I read that they are routed too.

In that document the author wonders how those connections could come from firewall.

I think that attacker could have simply set port forwarding rules.

When I realized that firewall was compromised (user logged on, ssl vpns activated, scrambled firewall rules), I focused more on recovery than on looking deeply on what had been changed.

Has someone kept configuration file from compromised state? It would be interesting to know.

I am also facing the same issue.
any solution available?

Thanks for the reply but my problem is solved, i go through youtube and find some videos of a decryption company and with the help of their decryptor i recovered all my data.

video link: https://www.youtube.com/watch?v=MI1i3btpXkE

Website link: https://decryptors.org/helldown-ransomware-decryptor/