HQ/EMEAFind out how we can help your business
The recently discovered VanHelsing ransomware is a new ransomware-as-a-service (RaaS) operation.
This RaaS operation can target multiple platforms, as it can compromise systems running on Windows, Linux, BSD, ARM, and ESXi.
Researchers noted that the ransomware was first pushed on underground cybercrime platforms earlier this month. The early release gave experienced affiliates a free pass to join while requiring a $5,000 payment from less experienced threat actors.
The VanHelsing ransomware is an alleged Russian-backed cybercrime project.
The VanHelsing ransomware is suspected to be a Russian project as it prohibits targeting systems in CIS countries.
In addition, the project’s affiliates can keep 80% of ransom payments, while operators receive 20%. The payments are processed through an automated escrow system that uses two blockchain confirmations for security.
Accepted affiliates will also have access to a panel that includes full operational automation and direct help from the development team.
Files acquired from the victims’ networks are kept directly on the VanHelsing operation’s servers, and the core team claims to conduct regular penetration testing to ensure top-tier security and system stability.
As of now, the VanHelsing extortion page on the dark web lists three victims, two from the US and one from France.
Its operators threatened to leak the stolen files in the following days if the companies on the victim list did not comply with their demands. Researchers claimed that the demanded ransom reached at least $500,000.
The VanHelsing ransomware is written in C++, and evidence shows it was initially released on March 16. It also employs the ChaCha20 algorithm for file encryption, producing a 32-byte symmetric key and a 12-byte nonce for each file.
These values are then encrypted with an embedded Curve25519 public key, and the resulting encrypted key/nonce pair is saved to the encrypted file. This ransomware partially encrypts data greater than 1GB in size but completes the process on smaller files.
Lastly, the virus provides extensive CLI customisation to tailor assaults to each victim, such as targeting specific drives and folders, limiting the scope of encryption, propagating over SMB, skipping shadow copy destruction, and enabling two-phase stealth mode.
