A new and rapidly evolving ransomware-as-a-service (RaaS) operation called VanHelsingRaaS has emerged in the cybercrime landscape.
Launched on March 7, 2025, this sophisticated threat has already claimed three victims in less than two weeks, demanding ransoms of $500,000 paid to Bitcoin wallets.
The operation allows affiliates to join with a $5,000 deposit, offering them 80% of ransom payments while the core operators retain 20%.
VanHelsingRaaS has distinguished itself by expanding beyond Windows to target multiple platforms, including Linux, BSD, ARM, and ESXi systems.
.webp)
This cross-platform capability significantly enhances its threat potential across enterprise environments.
The service provides affiliates with an intuitive control panel that simplifies the execution of ransomware attacks, lowering the technical barrier to entry for cybercriminals.
Check Point researchers detected two variants of the VanHelsing ransomware, compiled just five days apart, demonstrating the operation’s rapid development cycle.
Analysis revealed significant updates between versions, highlighting the malware authors’ commitment to evolving their threat capabilities.
The only operational restriction imposed by the RaaS operators is a prohibition on targeting systems within Commonwealth of Independent States (CIS) countries, a common practice among Russian-based cybercrime operations.
The ransomware employs sophisticated encryption techniques, utilizing a Curve 25519 public key embedded in the code.
For each encrypted file, it generates two random ephemeral values (32 bytes and 12 bytes) to use as the key and nonce for ChaCha20 algorithm encryption.
Files are renamed with the .vanhelsing extension after encryption, and a ransom note is dropped in each folder.
Silent Mode: Evading Detection
A particularly concerning feature of VanHelsingRaaS is its implementation of a “Silent” mode, activated through the –Silent command-line argument.
This mode splits the malware’s functionality into two distinct phases to evade detection systems.
.webp)
In normal operation, the ransomware enumerates folders, identifies files, encrypts them, and immediately renames them with the .vanhelsing extension. However, when operating in Silent mode, it temporarily skips the file renaming step.
The code implementing this evasion technique is particularly noteworthy:-
if (!flag_silent_564DB0) {
formatString_40B0A0((char *)new_filepath, 0x1860, (const char *)L"%s.vanhelsing", *filepath);
if (!MoveFileExN(*filepath, new_filepath, 3u)) {
LastError = GetLastError();
}
}After all files have been encrypted in Silent mode, the ransomware performs a second pass, this time solely to rename the files.
.webp)
This two-stage approach helps evade behavioral detection systems that might flag simultaneous encryption and renaming activities as indicators of ransomware behavior.
As VanHelsingRaaS continues to evolve, security professionals must remain vigilant against this sophisticated and rapidly spreading threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
