This two-stage approach helps evade behavioral detection systems that might flag simultaneous encryption and renaming activities as indicators of ransomware behavior. After all files have been encrypted in Silent mode, the ransomware performs a second pass, this time solely to rename the files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. In normal operation, the ransomware enumerates folders, identifies files, encrypts them, and immediately renames them with the .vanhelsing extension. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The only operational restriction imposed by the RaaS operators is a prohibition on targeting systems within Commonwealth of Independent States (CIS) countries, a common practice among Russian-based cybercrime operations. As VanHelsingRaaS continues to evolve, security professionals must remain vigilant against this sophisticated and rapidly spreading threat. Check Point researchers detected two variants of the VanHelsing ransomware, compiled just five days apart, demonstrating the operation’s rapid development cycle. The service provides affiliates with an intuitive control panel that simplifies the execution of ransomware attacks, lowering the technical barrier to entry for cybercriminals. The ransomware employs sophisticated encryption techniques, utilizing a Curve 25519 public key embedded in the code. Launched on March 7, 2025, this sophisticated threat has already claimed three victims in less than two weeks, demanding ransoms of $500,000 paid to Bitcoin wallets. A particularly concerning feature of VanHelsingRaaS is its implementation of a “Silent” mode, activated through the –Silent command-line argument. Files are renamed with the .vanhelsing extension after encryption, and a ransom note is dropped in each folder. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. VanHelsingRaaS has distinguished itself by expanding beyond Windows to target multiple platforms, including Linux, BSD, ARM, and ESXi systems. Analysis revealed significant updates between versions, highlighting the malware authors’ commitment to evolving their threat capabilities. For each encrypted file, it generates two random ephemeral values (32 bytes and 12 bytes) to use as the key and nonce for ChaCha20 algorithm encryption. This mode splits the malware’s functionality into two distinct phases to evade detection systems. A new and rapidly evolving ransomware-as-a-service (RaaS) operation called VanHelsingRaaS has emerged in the cybercrime landscape. The operation allows affiliates to join with a $5,000 deposit, offering them 80% of ransom payments while the core operators retain 20%.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 24 Mar 2025 07:30:04 +0000