CyberSecurityBoard
Sponsor Register Login

New VanHelsing ransomware targets Windows, ARM, ESXi systems

In normal encryption mode, VanHelsing enumerates files and folders, encrypts the file contents, and renames the resulting file appending the ‘.vanhelsing’ extension. Files stolen from the victims’ networks are stored directly on the VanHelsing operation’s servers, while the core team claims that they perform regular penetration tests to ensure top-notch security and system reliability. In stealth mode, the ransomware decouples encryption from file renaming, which is less likely to trigger alarms because file I/O patterns mimic normal system behavior. VanHelsing was first promoted on underground cybercrime platforms on March 7, offering experienced affiliates a free pass to join while mandating a deposit of $5,000 from less experienced threat actors. The malware supports rich CLI customization to tailor attacks per victim, such as targeting specific drives and folders, restricting the scope of encryption, spreading via SMB, skipping shadow copies deletion, and enabling two-phase stealth mode. Check Point’s analysts report that VanHelsing is a Russian cybercrime project that forbids targeting systems in systems in CIS (Commonwealth of Independent States) countries. VanHelsing uses the ChaCha20 algorithm for file encryption, generating a 32-byte (256-bit) symmetric key and a 12-byte nonce for each file. These include mismatches in the file extension, errors in the exclusion list logic that may trigger double encryption passes, and several unimplemented command-line flags. A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems. The VanHelsing ransomware is written in C++, and evidence suggests that it was deployed in the wild for the first time on March 16. While VanHelsing appears advanced and quickly evolving, Check Point noticed a few flaws that reveal code immaturity. The new ransomware operation was first documented by CYFIRMA late last week, while Check Point Research performed a more in-depth analysis published yesterday. Despite the presence of errors, VanHelsing remains a worrying rising threat that appears that could start gaining traction soon. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. VanHelsing partially encrypts files larger than 1GB in size, but runs the full process on smaller files.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 24 Mar 2025 19:45:02 +0000


Cyber News related to New VanHelsing ransomware targets Windows, ARM, ESXi systems

New VanHelsing ransomware targets Windows, ARM, ESXi systems - In normal encryption mode, VanHelsing enumerates files and folders, encrypts the file contents, and renames the resulting file appending the ‘.vanhelsing’ extension. Files stolen from the victims’ networks are stored directly on the ...
2 months ago Bleepingcomputer.com
10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
3 months ago Cybersecuritynews.com
Researchers Emulated VanHelsing Ransomware Advanced Tactics & Tools Used - AttackIQ researchers identified that as of May 14, 2025, the VanHelsing operation had already infected five organizations across the United States, France, Italy, and Australia, with data from three non-compliant victims published on their leak site. ...
1 month ago Cybersecuritynews.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
2 months ago Cybersecuritynews.com
VanHelsing Ransomware Attacking Windows Systems With New Evasion Technique & File Extension - A new ransomware strain named VanHelsing has emerged, targeting Windows systems with sophisticated encryption techniques and advanced evasion tactics. Cyfirma researchers discovered that VanHelsing employs a double extortion strategy, not only ...
2 months ago Cybersecuritynews.com
Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
New VanHelsingRaaS Attacking Linux, BSD, ARM, and ESXi Systems - This two-stage approach helps evade behavioral detection systems that might flag simultaneous encryption and renaming activities as indicators of ransomware behavior. After all files have been encrypted in Silent mode, the ransomware performs a ...
2 months ago Cybersecuritynews.com
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
VMware ESXi 8.0 Update 3e Released for Free, What's New! - This marks a significant policy reversal after Broadcom discontinued the free ESXi offering following its acquisition of VMware, a move that had pushed many users toward alternative virtualization platforms. Broadcom has officially reintroduced the ...
2 months ago Cybersecuritynews.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
1 year ago Bleepingcomputer.com LockBit
A type of malicious software called Royal Ransomware designed for Linux systems is attacking VMware ESXi servers - The latest ransomware operation to target Linux devices is Royal Ransomware. It is specifically designed to encrypt VMware ESXi virtual machines. Other ransomware gangs, such as Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, ...
2 years ago Bleepingcomputer.com LockBit RansomEXX Black Basta
The Week in Ransomware - Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article. BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have ...
1 year ago Bleepingcomputer.com LockBit Qilin Noescape
CVE-2022-48895 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news Qilin
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
1 year ago Bleepingcomputer.com LockBit Akira
New Nevada Ransomware Targets Windows and VMware ESXi Systems - A relatively new ransomware operation known as Nevada is quickly growing in capabilities, targeting Windows and VMware ESXi systems. On December 10, 2022, Nevada ransomware was promoted on the RAMP darknet forums, inviting Russian and ...
2 years ago Bleepingcomputer.com
6 Ransomware Trends & Evolutions For 2023 - More than any other industry, cybersecurity is constantly changing. The number of major paradigm shifts that have transformed the world of cybersecurity in the past few years has been unprecedented, especially when it comes to combating ransomware. ...
2 years ago Trendmicro.com TeamTNT
1 1
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
1 year ago Bleepingcomputer.com LockBit BianLian Akira Cactus
Cisco Talos Report: New Trends in Ransomware, Network Infrastructure Attacks, Commodity Loader Malware - The Cisco Talos Year in Review report released Tuesday highlights new trends in the cybersecurity threat landscape. We'll focus on three topics covered: the ransomware cybercriminal ecosystem, network infrastructure attacks and commodity loader ...
1 year ago Techrepublic.com LockBit
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
1 year ago Bleepingcomputer.com LockBit Akira Noescape

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)