{"id":2476,"date":"2025-03-25T11:51:39","date_gmt":"2025-03-25T11:51:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2476"},"modified":"2025-03-25T11:51:39","modified_gmt":"2025-03-25T11:51:39","slug":"new-vanhelsing-ransomware-claims-three-victims-within-a-month","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2476","title":{"rendered":"New VanHelsing ransomware claims three victims within a month"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A new ransomware-as-a-service (RaaS) affiliate program, VanHelsing, is rapidly gaining traction, with its operators successfully targeting three victims within a month of its launch on March 7.<\/p>\n

Presumably Russian, for its prohibition of Commonwealth of Independent States (CIS) targets, the RaaS project was first discovered by CYFIRMA on March 16, as attackers used it for encryption and double extortion.<\/p>\n

\u201cOnce executed, VanHelsing appends the \u2018.vanhelsing\u2019 extension to the encrypted files, modifies the desktop wallpaper, and drops a ransom note named \u2018README.TXT\u2019 on the victim\u2019s system,\u201d CIFIRMA said in a blog post<\/a>.<\/p>\n

One of VanHelsing\u2019s victims was reportedly asked to pay $500,000 to a specified Bitcoin wallet.<\/p>\n

A multi-platform RaaS<\/strong><\/h2>\n

CYFIRMA reported VanHelsing to be a Windows-targeting ransomware<\/a>. \u201cDesigned to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files,\u201d CIFIRMA had said.<\/p>\n

Days later, however, Check Point spotted VanHelsing advertising offering multi-platform variants on the dark web.<\/p>\n

\u201cCheck Point research discovered two VanHelsing ransomware variants targeting Windows, but as the RaaS mentions in the advertisements, it provides more offerings \u201dtargeting Linux, BSD, ARM, and ESXi systems,\u201c Check Point said in a blog<\/a>.<\/p>\n

The RaaS offers an intuitive control panel for simplified ransomware operations, Check Point added. Newer of the two variants analyzed by Check Point \u2014 compiled five days apart \u2014 showed \u201csignificant updates\u201d suggesting a rapidly evolving ransomware.<\/p>\n

Russian origin is suspected for the RaaS program<\/a> as it forbids encryption of systems in the CIS countries, a behavior typical of Russian cybercrime.<\/p>\n

Sophisticated affiliate program<\/strong><\/h2>\n

VanHelsing is a refined ransomware written in C++ and, based on the compilation timestamp observed by Check Point, had claimed its first victim on the same day it got spotted by CYFIRMA.<\/p>\n

\u201cThe ransomware accepts multiple command-line arguments that control the encryption process, such as whether to encrypt network and local drives or specific directories and files,\u201d Check Point added.<\/p>\n

Additionally, as per VanHelsing\u2019s advertisement screenshot shared with the Check Point blog post, the RaaS offers other affiliate-friendly features including encryption control, encryption modes, self-propagation, and debugging.<\/p>\n

While new affiliates are required to pay a deposit of $5,000 to gain access to the program, experienced ones can join for free. \u201cAfter two blockchain confirmations of the victim\u2019s ransom payment, the affiliates receive 80% of the revenue, while the remaining 20% is paid to the RaaS operators,\u201d CheckPoint added.<\/p>\n

To keep victims from restoring or recovering files, the RaaS is designed to delete all \u201cShadow Copies,\u201d which are backup copies of files or volumes created by Windows Volume Shadow Copy Service (VSS).<\/p>\n

According to CYFIRMA, the ransomware has so far targeted Government, Manufacturing and Pharma companies in the US and France. It advises companies to implement robust encryption, authentication, and configuration practices, along with ensuring backups of critical systems and files.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A new ransomware-as-a-service (RaaS) affiliate program, VanHelsing, is rapidly gaining traction, with its operators successfully targeting three victims within a month of its launch on March 7. Presumably Russian, for its prohibition of Commonwealth of Independent States (CIS) targets, the RaaS project was first discovered by CYFIRMA on March 16, as attackers used it for […]<\/p>\n","protected":false},"author":0,"featured_media":2477,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2476","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2476"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2476"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2476\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2477"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}