A new ransomware operation, VanHelsing, has surfaced as a multi-platform RaaS (Ransomware-as-a-Service), attacking Windows, Linux, BSD, ARM, and ESXi systems.
First promoted on cybercrime forums on March 7, it allows experienced affiliates to join for free, while less experienced ones must pay a $5,000 deposit. Affiliates retain 80% of ransom payments, while operators take 20%, using an automated escrow system for payments.
Check Point Research reports that VanHelsing is a Russian cybercrime project that avoids targeting CIS countries. Stolen files are stored on VanHelsing’s own servers, and operators claim to perform regular penetration testing to secure their platform.
Currently, their dark web extortion site lists three victims—two U.S. tech companies and a French organization, with one victim being a Texas city. The demanded ransom is $500,000, and the operators threaten to leak stolen data if unpaid.
VanHelsing is written in C++ and uses ChaCha20 encryption, with an embedded Curve25519 public key securing encryption keys. It features custom CLI options, allowing attackers to fine-tune their approach by selecting specific drives, folders, and stealth modes.
A stealth mode separates encryption from file renaming, making detection harder as system behavior appears normal. By the time security tools react, files are already encrypted.
Despite its sophistication, researchers have found flaws in its code, including errors in file extensions, exclusion logic, and unimplemented commands. However, its rapid evolution suggests it may soon become a significant cybersecurity threat.
Logging you in...
Loading IntenseDebate Comments...