VanHelsingRaaS, a newly launched ransomware-as-a-service (RaaS) program, has quickly gained traction in the cybercrime landscape.
Designed to attract both seasoned hackers and newcomers, this affiliate program requires a $5,000 deposit for entry and offers affiliates an 80% share of ransom payments, with the operators retaining the remaining 20%.
The program explicitly prohibits targeting systems in Commonwealth of Independent States (CIS) countries, a common restriction in Russian-origin cybercrime operations.
Check Point Research has identified two variants of the VanHelsing ransomware targeting Windows systems.
However, advertisements for the RaaS indicate broader capabilities, with support for Linux, BSD, ARM, and ESXi platforms.
This cross-platform functionality significantly expands its reach and potential impact.
The ransomware is managed through an intuitive control panel that simplifies attack operations for affiliates.
Rapid Growth and Multi-Platform Threats
Within two weeks of its launch, VanHelsingRaaS has already infected three victims, demanding ransom payments as high as $500,000 in Bitcoin for decryption keys and the deletion of stolen data.
The ransomware itself is written in C++ and supports various command-line arguments to tailor encryption processes to specific targets.
These arguments include options to encrypt local drives, network drives, or specific directories while offering stealth features such as silent encryption mode to evade detection.
The malware demonstrates active development, with updates introducing new functionalities.
For example, the second variant compiled on March 11 includes enhanced features compared to the initial version discovered on March 16.
This rapid evolution underscores the sophistication of the operation and its adaptability to different system environments.
Technical Analysis of VanHelsing Ransomware
VanHelsing employs advanced encryption techniques using ChaCha20 with Curve25519 public keys embedded in its code.
It selectively encrypts files based on size and excludes critical system files and folders from encryption to maintain system operability.
The ransomware also deletes shadow copies using Windows Management Instrumentation (WMI), preventing victims from recovering encrypted data through backups.
Network drives are targeted by default unless excluded via specific command-line arguments.
The ransomware scans local networks for SMB servers and encrypts shared resources.
Additionally, it includes functionality for spreading via SMB shares using embedded tools like PsExec.exe.
The ransomware’s silent mode separates encryption from file renaming processes to bypass behavioral detection mechanisms.
Encrypted files are marked with the extension .vanhelsing, though a coding error mistakenly associates them with .vanlocker, leading to potential double encryption scenarios.
VanHelsingRaaS represents a significant advancement in ransomware operations by offering multi-platform support and user-friendly management tools.
Its rapid adoption by affiliates and successful infections within weeks highlight its effectiveness as a cybercrime tool.
As ransomware threats continue to evolve, organizations must implement robust cybersecurity measures to defend against sophisticated attacks like VanHelsingRaaS.
%20program,%20has%20quickly%20gained%20traction%20in%20the%20cybercrime%20landscape.){kind=link}