Full Report
A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025. "The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%," Check Point said in a report published over the weekend
Analysis Summary
# Threat Actor: VanHelsing (Ransomware-as-a-Service)
## Attribution & Identity
**VanHelsing** is identified as a new Ransomware-as-a-Service (RaaS) operation. It functions as an affiliate-backed program where affiliates pay a deposit or join for free if reputable. Core operators earn 20% of ransom payments, while affiliates keep 80%.
## Activity Summary
The RaaS operation launched on March 7, 2025, and had already claimed three victims as of the article's publication date over the weekend. It prohibits targeting the Commonwealth of Independent States (CIS).
## Tactics, Techniques & Procedures
- **Ransomware Operations:** Utilizes a double extortion model (data theft prior to encryption).
- **System Enumeration:** Deletes shadow copies and enumerates local and network drives.
- **Encryption:** Encrypts files with the appendix ".vanhelsing."
- **Impact/Locker Activity:** Modifies the desktop wallpaper and drops a ransom note demanding Bitcoin payment.
- **Command-and-Control/Execution:** Supports various command-line arguments to dictate encryption mode, target specific locations, spread via SMB servers, or run in "Silent" mode without renaming files.
- **Infrastructure:** Provides affiliates with a control panel accessible via desktop and mobile devices (supporting dark mode).
## Targeting
- **Sectors:** Government, manufacturing, and pharmaceutical companies.
- **Geography:** France and the United States.
- **Victims:** Three victims claimed shortly after launch (specific names not mentioned).
## Tools & Infrastructure
- **Malware Families Used:** VanHelsing ransomware (written in C++).
- **Infrastructure (C2, domains, IPs):** Control panel provided to affiliates.
## Implications
VanHelsing presents a rapidly growing threat due to its low barrier to entry (low/no deposit for entry), user-friendly control panel, and frequent updates, making it a powerful tool for a wide range of cybercriminals. Its immediate success (three victims in under two weeks) signifies a potentially significant new source of ransomware activity.
## Mitigations
- Implement robust data backup and recovery procedures to counter encryption.
- Enhance network visibility across the entire estate, specifically monitoring suspicious file activity, to detect and prevent ransomware deployment and lateral movement (especially via SMB).
- Ensure systems are hardened against common ransomware techniques like shadow copy deletion.