VanHelsing Ransomware: A Cross Platform Threat Targeting Windows, Linux, and Virtualized Environment
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Check Point Research recently published a blog detailing the emergence of VanHelsingRaaS, a rapidly growing ransomware-as-a-service (RaaS) operation first observed on March 7, 2025. Their analysis highlights the cross-platform capabilities of the ransomware, targeting Windows, Linux, BSD, ARM, and ESXi systems, and its affiliate-driven model, which allows cybercriminals to conduct ransomware attacks through an intuitive control panel.
Check Point’s research uncovered two ransomware variants, compiled just five days apart, demonstrating the rapid evolution of VanHelsingRaaS. The blog also reveals that within just two weeks, this ransomware has already compromised three victims, demanding $500,000 in Bitcoin for decryption and data deletion. The operation follows a strict prohibition on targeting Commonwealth of Independent States (CIS) countries, a pattern commonly seen in Russian. cybercriminal activities. The findings emphasize the urgent need for enhanced ransomware defenses, proactive threat intelligence monitoring, and robust incident response strategies to mitigate the risks posed by this fast-evolving ransomware threat.
Vulnerability Details
The VanHelsing Ransomware, discovered on March 16, 2025, is written in C++ and appears to be in early development. It allows attackers to control encryption via command-line arguments, including targeting local and network drives. Some features are still unfinished, with log entries present but no corresponding actions. The ransom note (README.txt) warns victims of encrypted files and demands Bitcoin for decryption. The note threatens permanent data loss if third-party decryptors are used and invite the victim to contact the attacker.
The VanHelsing Ransomware drops two images into the C:\Windows\Web folder—one for changing the desktop background and another for file association. However, a flaw in the ransomware prevents proper icon association with encrypted files. The ransomware retains a PDB file path, exposing details about its development environment. Check Point Research used this to identify an earlier variant, compiled on March 11, 2025, with notable differences. Another discovered file attempts to load an embedded binary but fails due to an invalid data buffer, rendering it ineffective.
The VanHelsing Ransomware includes multiple command-line arguments, allowing attackers to customize encryption based on their objectives. These arguments control target selection, execution behavior, and stealth features, such as encryption scope (specific files, directories, or drives), logging options, process priority, and spreading via SMB. Some arguments remain unimplemented, indicating ongoing development, including vCenter propagation and autostart mechanisms. Analysis of two samples, compiled five days apart, shows the ransomware is rapidly evolving, with new features and arguments being introduced, suggesting continued refinement and expansion of its capabilities. VanHelsing Ransomware targets Windows shadow copies to prevent victims from restoring files using built-in recovery options. It initializes COM services, detects system architecture, and leverages WMI queries to identify shadow copies. The malware enumerates stored backups and deletes them using WMIC commands, ensuring no local file recovery. This tactic increases the likelihood of ransom payment by forcing victims to rely solely on the attacker for decryption. The implementation suggests a structured approach to system manipulation, reinforcing the ransomware’s evolving sophistication. VanHelsing Ransomware begins local encryption by identifying available drives using GetLogicalDriveStringsW. It retrieves logical drive information and selects fixed local and mounted drives for encryption unless the --no-mounted argument is used. Once the target drives are determined, the ransomware recursively scans and encrypts all files and folders, ensuring widespread data encryption across the system. This method maximizes impact, making file recovery difficult without the decryption key.
VanHelsing Ransomware enumerates folders and files for encryption using FindFirstFileW, FindNextFileW, and FindClose. To maintain system functionality, it excludes critical folders, files, and extensions from encryption, such as Windows system directories and executables. However, a flaw exists: the ransomware mistakenly excludes .vanlocker files instead of .vanhelsing-encrypted files. This oversight could result in double encryption if a second instance of the ransomware executes, further complicating data recovery. VanHelsing Ransomware scans the local network for SMB servers by checking port 445 and attempting to access shared resources using NetShareEnum. It encrypts network shares by default unless --no-network is specified, running as a separate thread. In Silent mode, files on network shares are encrypted without changing their extension. If --spread-smb is enabled, the ransomware drops psexec.exe in the Temp folder to execute itself remotely on writable shares. However, it avoids encrypting NETLOGON and sysvol to prevent disrupting user authentication. The --Silent mode in VanHelsing Ransomware helps evade detection by separating encryption and file renaming into two distinct stages. In Normal mode, the ransomware encrypts files and renames them with the .vanhelsing extension. However, in Silent mode, it first encrypts all files without renaming them, then runs a second pass to rename them afterward. This method reduces the likelihood of triggering security alerts, as renaming happens only after encryption is completed. VanHelsing Ransomware uses Curve25519 for public-key encryption and ChaCha20 for file encryption. Each file gets a random 32-byte key and a 12-byte nonce, which are encrypted using the embedded public key and stored in the file header in hexadecimal format. If a file is ≥1GB, only the first 30% is encrypted; otherwise, the entire file is encrypted in 1MB chunks. The ransomware appends a custom extension immediately unless --Silent mode is enabled, in which case renaming occurs after all files are encrypted.
Conclusion
VanHelsing Ransomware and its RaaS variant, VanHelsingRaaS, represent a rapidly evolving and highly adaptable threat. With its cross-platform capabilities, command-line customization, and stealthy encryption tactics, this ransomware poses a significant risk to both individual users and enterprises. The malware’s ability to spread via SMB, evade detection using Silent Mode, and leverage strong encryption techniques such as Curve25519 and ChaCha20 makes recovery without paying the ransom nearly impossible.
