A new ransomware-as-a-service (RaaS) affiliate program, VanHelsing, is rapidly gaining traction, with its operators successfully targeting three victims within a month of its launch on March 7.
Presumably Russian, for its prohibition of Commonwealth of Independent States (CIS) targets, the RaaS project was first discovered by CYFIRMA on March 16, as attackers used it for encryption and double extortion.
“Once executed, VanHelsing appends the ‘.vanhelsing’ extension to the encrypted files, modifies the desktop wallpaper, and drops a ransom note named ‘README.TXT’ on the victim’s system,” CIFIRMA said in a blog post.
One of VanHelsing’s victims was reportedly asked to pay $500,000 to a specified Bitcoin wallet.
A multi-platform RaaS
CYFIRMA reported VanHelsing to be a Windows-targeting ransomware. “Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files,” CIFIRMA had said.
Days later, however, Check Point spotted VanHelsing advertising offering multi-platform variants on the dark web.
“Check Point research discovered two VanHelsing ransomware variants targeting Windows, but as the RaaS mentions in the advertisements, it provides more offerings ”targeting Linux, BSD, ARM, and ESXi systems,“ Check Point said in a blog.
The RaaS offers an intuitive control panel for simplified ransomware operations, Check Point added. Newer of the two variants analyzed by Check Point — compiled five days apart — showed “significant updates” suggesting a rapidly evolving ransomware.
Russian origin is suspected for the RaaS program as it forbids encryption of systems in the CIS countries, a behavior typical of Russian cybercrime.
Sophisticated affiliate program
VanHelsing is a refined ransomware written in C++ and, based on the compilation timestamp observed by Check Point, had claimed its first victim on the same day it got spotted by CYFIRMA.
“The ransomware accepts multiple command-line arguments that control the encryption process, such as whether to encrypt network and local drives or specific directories and files,” Check Point added.
Additionally, as per VanHelsing’s advertisement screenshot shared with the Check Point blog post, the RaaS offers other affiliate-friendly features including encryption control, encryption modes, self-propagation, and debugging.
While new affiliates are required to pay a deposit of $5,000 to gain access to the program, experienced ones can join for free. “After two blockchain confirmations of the victim’s ransom payment, the affiliates receive 80% of the revenue, while the remaining 20% is paid to the RaaS operators,” CheckPoint added.
To keep victims from restoring or recovering files, the RaaS is designed to delete all “Shadow Copies,” which are backup copies of files or volumes created by Windows Volume Shadow Copy Service (VSS).
According to CYFIRMA, the ransomware has so far targeted Government, Manufacturing and Pharma companies in the US and France. It advises companies to implement robust encryption, authentication, and configuration practices, along with ensuring backups of critical systems and files.