- Check Point researchers found a new ransomware strain called VanHelsing
- It is an emerging threat, where affiliates need to pay a fee to get in
- Three organizations already fell victim
A new dangerous ransomware variant has been spotted, capable of encrypting Windows devices, Linux, VMware, ESXi systems, and more.
Cybersecurity researchers Check Point revealed the malware is called VanHelsing, and works on a service model (Ransomware-as-a-Service).
The RaaS operation kicked off on March 7, 2025, and the encryptor is still under development. So far, multiple infections were spotted, and the researchers managed to analyze a few variants, all on the Windows platform. Between them, there were incremental updates, it was said, proving VanHelsing is being actively – and quickly – developed.
Russian group?
So far, three organizations fell victim to VanHelsing, each being asked for $500,000 in crypto, in exchange for the decryption key. We don’t know if the affiliates also engage in data exfiltration, but it’s safe to assume they do.
Check Point also said there appears to be different rules for wanna-be affiliates. Those that are newcomes to the cybercriminal scene need to pay a $5,000 fee to be included as an affiliate. More established names in the scene don’t have to pay at all.
Splitting the proceeds favors the affiliates, it was further explained. It’s an 80-20 split, with 20% going to the ransomware’s operators.
As for attribution, the operation is most likely Russian, since it is not allowed to target organizations in Russia or the Commonwealth of Independent States (former Soviet Union, basically).
“This is difficult to say, but usually they are operating under Russian territory,” noted Antonis Terefos, a malware reverse engineer at Check Point.
The researchers also hinted the Russian government does not target cybercriminals, as long as they only attack organizations in the West.
If that really is the case, and VanHelsing is allowed to work freely, it can quickly become a prolific threat actor, rivaling the likes of LockBit, or RansomHub. Furthermore, it will become obvious that ransomware has become a tool in global power struggles, something we’ve seen North Korea doing for years now.
Via The Register
Leave a comment