AttackIQ researchers identified that as of May 14, 2025, the VanHelsing operation had already infected five organizations across the United States, France, Italy, and Australia, with data from three non-compliant victims published on their leak site. The security firm has released a comprehensive attack graph emulating the behaviors exhibited by this ransomware, enabling organizations to test their security controls against this emerging threat. The malware checks for the presence of debuggers using the IsDebuggerPresent Windows API and employs system location discovery through multiple API calls including GetUserDefaultLCID, GetUserDefaultLocaleName, and GetLocaleInfoA to determine the victim’s geographical location. With its sophisticated techniques and growing victim base, security professionals should prioritize validating their defenses against this emerging threat using the newly released emulation tools. The ransomware employs a double extortion model, encrypting victims’ files with the Curve25519 and ChaCha20 algorithms while simultaneously exfiltrating sensitive data and threatening public disclosure if ransom demands are not met. VanHelsing performs sophisticated pre-encryption checks to avoid infecting unintended victims, such as those in specific geographical locations, and implements various anti-analysis measures to evade detection. VanHelsing appends the “.vanhelsing” extension to encrypted files and requires payment in Bitcoin, with ransom notes demanding varying amounts based on victim profiles. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Cybersecurity experts have successfully emulated the behaviors of VanHelsing, a sophisticated ransomware-as-a-service (RaaS) operation that emerged in March 2025 and has rapidly gained notoriety in cybercriminal circles. Security researchers emulating the ransomware identified that it uses GetEnvironmentStrings and GetNativeSystemInfo to fingerprint systems and potentially search for stored credentials. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The RaaS operation maintains a structured affiliate program requiring a $5,000 deposit from newcomers, with affiliates retaining 80% of ransom payments collected from victims. Files matching specific extensions are encrypted using a combination of ChaCha20 symmetric encryption and ECDH Curve25519, rendering them inaccessible without the attacker’s private key. The ransomware then systematically identifies valuable targets through file system traversal using FindFirstFileW and FindNextFilew Windows APIs. Once encryption completes, the ransomware modifies the registry to change the desktop wallpaper, displaying the ransom note to victims. The attack begins with the ransomware’s deployment on compromised systems, followed by initial reconnaissance activities designed to gather system information and ensure the target is viable. What makes VanHelsing particularly concerning is its cross-platform capabilities, allowing it to target Windows, Linux, BSD, ARM devices, and VMware ESXi environments. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. VanHelsing employs multiple evasion techniques to remain undetected during its operation. Affiliates gain access to a dedicated control panel for managing attacks, tracking victims, and monitoring payment status.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 16 May 2025 06:04:53 +0000