Ethical Hacking News
New VanHelsing Ransomware Attacks Windows, ARM, ESXi Systems with Advanced Encryption Techniques
A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems. The malware uses advanced encryption techniques, including the ChaCha20 algorithm, to protect its malicious files.
Read the full article to learn more about the VanHelsing RaaS operation and how it's impacting system administrators worldwide.
The VanHelsing ransomware-as-a-service (RaaS) operation targets various operating systems, including Windows, Linux, BSD, ARM, and ESXi systems. The operation is a Russian cybercrime project that forbids targeting systems in CIS countries and pays affiliates 80% of the ransom payments with operators taking 20%. The malware stores stolen files on its servers and claims to perform regular penetration tests for security and system reliability. Victims have been threatened with a $500,000 ransom payment if their financial demands aren’t met within days. VanHelsing was deployed in the wild for the first time on March 16 and uses the ChaCha20 algorithm for file encryption. The malware has several flaws that reveal code immaturity, including errors in exclusion list logic and unimplemented command-line flags.
The cybersecurity world has been shaken by the emergence of a new ransomware-as-a-service (RaaS) operation called VanHelsing. This malicious program targets various operating systems, including Windows, Linux, BSD, ARM, and ESXi systems. The VanHelsing RaaS operation was first promoted on underground cybercrime platforms on March 7, offering experienced affiliates a free pass to join while mandating a deposit of $5,000 from less experienced threat actors.
According to Check Point Research, the new ransomware operation is a Russian cybercrime project that forbids targeting systems in CIS (Commonwealth of Independent States) countries. Affiliates are allowed to keep 80% of the ransom payments while the operators take a 20% cut. The payments are handled via an automated escrow system that employs two blockchain confirmations for security.
Accepted affiliates gain access to a panel with full operational automation, while there’s also direct support from the development team. Files stolen from the victims’ networks are stored directly on the VanHelsing operation’s servers, while the core team claims that they perform regular penetration tests to ensure top-notch security and system reliability.
The VanHelsing extortion portal on the dark web lists three victims, two in the U.S. and one in France. One of the victims is a city in Texas, while the other two are technology companies. The ransomware operators threaten to leak the stolen files in the coming days if their financial demands aren’t met. According to Check Point’s investigation, that’s a $500,000 ransom payment.
The VanHelsing ransomware is written in C++, and evidence suggests that it was deployed in the wild for the first time on March 16. The malware uses the ChaCha20 algorithm for file encryption, generating a 32-byte (256-bit) symmetric key and a 12-byte nonce for each file. These values are then encrypted using an embedded Curve25519 public key, and the resulting encrypted key/nonce pair is stored in the encrypted file.
VanHelsing partially encrypts files larger than 1GB in size, but runs the full process on smaller files. The malware supports rich CLI customization to tailor attacks per victim, such as targeting specific drives and folders, restricting the scope of encryption, spreading via SMB, skipping shadow copies deletion, and enabling two-phase stealth mode.
In normal encryption mode, VanHelsing enumerates files and folders, encrypts the file contents, and renames the resulting file appending the ‘.vanhelsing’ extension. In stealth mode, the ransomware decouples encryption from file renaming, which is less likely to trigger alarms because file I/O patterns mimic normal system behavior.
While VanHelsing appears advanced and quickly evolving, Check Point noticed a few flaws that reveal code immaturity. These include mismatches in the file extension, errors in the exclusion list logic that may trigger double encryption passes, and several unimplemented command-line flags.
Despite the presence of errors, VanHelsing remains a worrying rising threat that could start gaining traction soon. It is essential for system administrators to be aware of this new ransomware operation and take necessary precautions to protect their systems from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-VanHelsing-Ransomware-Attacks-Windows-ARM-ESXi-Systems-with-Advanced-Encryption-Techniques-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/
Published: Mon Mar 24 15:05:18 2025 by llama3.2 3B Q4_K_M
