A new ransomware-as-a-service (RaaS) operation dubbed “VanHelsing” has surfaced, targeting multiple operating systems and employing double extortion tactics. With an entry fee of $5,000, the group has already claimed three victims, signaling a growing threat to enterprises. The malware’s capabilities include data exfiltration prior to encryption, increasing pressure on victims to pay ransoms.
VanHelsing RaaS: Key Features and Tactics
The VanHelsing operation distinguishes itself through multi-OS compatibility, enabling attacks on Windows, Linux, and VMware ESXi systems. This broad targeting increases its potential impact across enterprise environments. The group leverages double extortion, stealing sensitive data before encrypting files, and threatens to leak information if ransoms are unpaid. According to Kaspersky, the malware uses evasion techniques to bypass detection, including process injection and obfuscated C2 communications.
Affiliation and Infrastructure
Initial analysis suggests ties to Russian-speaking threat actors, with C2 servers hosted in bulletproof hosting environments. The group operates a semi-private RaaS model, requiring vetting of affiliates before granting access to the malware. This approach mirrors other high-profile RaaS operations like REvil and LockBit. Researchers at Palo Alto Networks have observed overlaps in TTPs with known APT groups, though attribution remains unconfirmed.
Mitigation and Defense Recommendations
Enterprises should prioritize patch management, particularly for internet-facing systems, and implement robust backup strategies. Network segmentation and endpoint detection (EDR) solutions can help contain ransomware spread. Monitoring for unusual outbound traffic may detect data exfiltration attempts. The CISA recommends applying the principle of least privilege and disabling unnecessary remote access protocols.
As VanHelsing expands its operations, organizations must remain vigilant against this evolving threat. Early detection and response are critical to mitigating damage from ransomware attacks.
