VanHelsingRaaS is an emerging ransomware-as-a-service (RaaS) launched in March 2025, allowing affiliates to initiate ransomware attacks with a low deposit. It targets multiple platforms and has already infected several victims demanding significant ransom payments. The program’s rapid growth and sophisticated capabilities highlight the evolving ransomware threat. Affected: Ransomware, Cybercrime, Windows, Linux, BSD, ARM, ESXi Systems
Keypoints :
- VanHelsingRaaS was launched on March 7, 2025.
- Affiliates can join for a ,000 deposit, keeping 80% of the ransom.
- Targets Windows, Linux, BSD, ARM, and ESXi systems.
- Two variants of the ransomware were identified within five days.
- Infected three victims within two weeks, demanding 0,000 in ransom.
- Ransomware uses a user-friendly control panel to manage attacks.
- Strict prohibition against targeting CIS countries.
- Ransomware employs multiple command-line arguments for encryption control.
- Encryption process includes file and directory specification options.
- Ransom notes are dropped as README.txt in each folder.
MITRE Techniques :
- T1486 – Data Encrypted for Impact: The ransomware encrypts files to extort ransom from victims.
- T1045 – Network Share Discovery: The ransomware identifies and attempts to encrypt network shares.
- T1070 – Indicator Removal on Host: Attempts to disguise its presence and remove logs during execution.
- T1203 – Exploitation for Client Execution: Targets various operating systems for initial infection.
- T1550 – Use of Default Credentials: Exploits known credential vulnerabilities across numerous systems.
Indicator of Compromise :
- [Hash] 79106dd259ba5343202c2f669a0a61b10adfadffe683bfaeb1a695ff9ef1759cf1944fa3bb3b6948
- [Hash] 4211cec2f905b9c94674a326581e4a5ae0599df9
- [Onion URL] vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion
- [Onion URL] bc1q0cuvj9eglxk43v9mqmyjzzh6m8qsvsanedwrru
- [Onion URL] vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion
Full Story: https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/