The Ransomware-as-a-Service (RAAS) operation, known as Vanhelsing, has already claimed three casualties since its launch on March 7, 2025.
“The RAAS model allows a wide range of participants, from experienced hackers to newcomers, to participate in a $5,000 deposit. Affiliates will maintain 80% of ransom payments and core operators will earn 20%,” Checkpoint said in a report published over the weekend. “
“The only rule is not to target independent states (CIS).
Like affiliate-backed ransomware programs, Vanhelsing claims to provide the ability to target a wide range of operating systems, including Windows, Linux, BSD, ARM, and ESXI. They also employ what is called the double fear tor model, which involves stealing data before encryption, threatening to leak information unless the victim is rewarded.
The RAAS operator also revealed that the scheme provides a control panel that works “seamlessly” on both desktop and mobile devices, and supports dark mode.
What’s noteworthy about Vanhelsing is that reputable affiliates can now participate for free, but new affiliates will have to pay a $5,000 deposit to access the program.
Once released, the C++-based ransomware removes shadow copies, enumerates local and network drives, takes steps to encrypt files with extensions, then changes the desktop wallpaper, and ransom notes are removed by the victim system, prompting you to pay for Bitcoin.
It also supports various command line arguments to direct different aspects of ransomware behavior, such as the encryption mode to use, where it needs to be encrypted, spread the locker to an SMB server, and skip ransomware extensions in “silent” mode.
According to Cyfirma, government, manufacturing and pharmaceutical companies in France and the US have been targeted for the operation of new ransomware.
“With user-friendly control panels and frequent updates, Vanhelsing is becoming a powerful tool for cybercrime,” Check Point said. Within just two weeks of launch, it has already caused serious damage, infecting multiple victims and demanding a large ransom.
The emergence of Vanhelsing coincides with many developments in the ransomware situation –
Discovering new versions of Albabat ransomware that go beyond Windows to Linux and Macos, collecting Black Rock ransomware, a rebranded version of El Dorado, and becoming one of the most active Raas groups in 2025. A page that deploys malware that can establish initial access to compromised systems JavaScript-based malware framework is used to provide Ransomhub Ransomware, known as Socgholish (also known as FakeUpdates). CVE-2025-24472) Starting late January 2025, a threat actor called MORA_001 will be delivering the newly discovered ransomware stock codename Super Black. lockbit, and babuk issue fake fear tor requests to victims
According to statistics compiled by Bitdefender, February 2025 was the worst month for ransomware in history, recording 962 casualties from 425 victims of 962 casualties.
Another notable trend is the rise in remote encryption attacks that can damage unmanaged endpoints by ransomware attackers, leveraging that access to encrypt data on managed domain binding machines.
Telemetry data shared by Sophos has been revealed to have skyrocketed in 2024 with a 50% increase in remote encryption compared to the previous year, with a 141% increase since 2022.
“Remote encryption has now become a standard part of the ransomware group trick bag,” said Chester Wysniewsky, director of Sophos and global field CISO. “Every organization has a blind spot, and ransomware criminals quickly take advantage of weaknesses once discovered.”
“Criminals are increasingly seeking these dark horns and using them as camouflage. Companies need to be pushy to ensure visibility across the property and actively monitor suspicious file activity.”
Source link
