Full Report
Key Points VanHelsing RaaS In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction. Reputable affiliates can […] The post VanHelsing, new RaaS in Town appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: VanHelsing Ransomware
## Overview
VanHelsing Ransomware is the cross-platform file-encrypting payload delivered by the **VanHelsing RaaS** (Ransomware-as-a-Service) program. Launched on March 7, 2025, the RaaS scheme recruits affiliates to deploy the ransomware, which follows an 80/20 revenue split, banning targeting of CIS countries.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Windows, Linux, BSD, ARM, and ESXi systems (multi-platform support advertised)
- Capabilities: Encrypts files, drops ransom notes, changes desktop background, uses C++ for development.
- First Seen: Discovered on March 16, 2025.
## MITRE ATT&CK Mapping
The provided text focuses on the deployment and impact of the ransomware, aligning primarily with the Impact tactic:
- **TA0040 - Impact**
- **T1486 - Data Encrypted for Impact**
- *(Implicit: Ransomware deployment leads to encryption)*
## Functionality
### Core Capabilities
- Utilizes command-line arguments to control encryption targets (network/local drives, specific files/directories).
- Drops a ransom note named `README.txt` in affected directories, demanding Bitcoin for decryption and threatening permanent data loss if third-party tools are used.
- Encrypts files and appends the `.vanhelsing` extension.
- Embedded images (`vhlocker.png` and `vhlocker.ico`) are dropped in `%C:\\Windows\\Web%`, intended to replace the desktop background and potentially associate icon files, although the latter function appears flawed.
### Advanced Features
- Development artifacts, specifically the PDB file path, are left inside the executable, potentially revealing the developer's environment.
- The RaaS provides a simplified, intuitive control panel for affiliates to manage campaigns.
- The ransomware is noted to be in early development, as suggested by log messages for unimplemented features.
## Indicators of Compromise
- File Hashes:
- VanHelsing Ransomware: `79106dd259ba534320259ba5343202c2f669a0a61b10adfadffe683bfaeb1a695ff9ef1759cf1944fa3bb3b6948`
- Loader: `4211cec2f905b9c94674a326581e4a5ae0599df9`
- File Names: `README.txt` (Ransom Note)
- Registry Keys: N/A
- Network Indicators:
- Negotiation Onion Pages: `vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd[.]onion`, `vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid[.]onion`, `vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad[.]onion`, `vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad[.]onion`
- RaaS Onion Pages: `vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd[.]onion`, `vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad[.]onion`, `vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd[.]onion`
- Behavioral Indicators: Ransom demands paid to Bitcoin wallet `bc1q0cuvj9eglxk43v9mqmyjzzh6m8qsvsanedwrru`. Communication via TOX ID: `FEE914521FB507AB978107ACE3B69B4CA41DA89859408BAE23E1512E8C2E614A26C5FFD482A3`.
## Associated Threat Actors
- VanHelsing RaaS Operators (Core Operators)
- VanHelsing RaaS Affiliates (Users who pay a deposit/are invited to deploy the payload)
## Detection Methods
- Signature-based detection:
- `Ransomware.Win.FilesMovedOrOverwrites.A`
- `Ransomware.Win.TouchTrapFiles.A`
- `TS_Ransomware.Win.FilesMovedOrOverwrites.A`
- `Trojan.Win.Krap.gl.D`
- `Trojan.Wins.Imphash.taim.XT`
- `Trojan.Wins.PDB.tapd.ON`
- Behavioral detection: Monitoring for mass file renaming/encryption operations, desktop background changes via image insertion, and specific file extension usage (`.vanhelsing`).
## Mitigation Strategies
- Apply comprehensive endpoint protection (e.g., Check Point Harmony Endpoint) capable of threat emulation and detecting ransomware tactics.
- Ensure robust backup and recovery strategies are in place, tested, and isolated.
- Harden Linux, BSD, ARM, and ESXi systems given the RaaS's cross-platform claims.
- Monitor for reconnaissance or lateral movement preceding mass encryption events, as this is a standard RaaS procedure.
## Related Tools/Techniques
- Ransomware-as-a-Service (RaaS) model.
- General ransomware techniques (encryption, double extortion via data exfiltration implied by ransom demands for "deletion of stolen data").