Helldown is a relatively new Intrusion Set in the ransomware landscape, first documented by Cyfirma in their August ransomware tracking report. Although still largely undocumented, the group is highly active, having listed 28 victims on its Data Leak Site (DLS) since 5 August 2024. While the group’s exact methods remain unclear, both Cyfirma and Cyberint reports that it exploits vulnerabilities to infiltrate victims’ networks and deploy its ransomware. The IS employs a double extortion strategy, exfiltrating large volumes of data and threatening to publish it on its .onion site if the ransom is not paid. The group’s DLS underwent changes toward the end of August. Notably, while the victims listed on the original DLS were transferred to the new one, three victims were removed. The reason for this removal is unclear, but it may indicate that a ransom was paid.