Cybersecurity experts have successfully emulated the behaviors of VanHelsing, a sophisticated ransomware-as-a-service (RaaS) operation that emerged in March 2025 and has rapidly gained notoriety in cybercriminal circles.
The ransomware employs a double extortion model, encrypting victims’ files with the Curve25519 and ChaCha20 algorithms while simultaneously exfiltrating sensitive data and threatening public disclosure if ransom demands are not met.
VanHelsing appends the “.vanhelsing” extension to encrypted files and requires payment in Bitcoin, with ransom notes demanding varying amounts based on victim profiles.
.png
)
What makes VanHelsing particularly concerning is its cross-platform capabilities, allowing it to target Windows, Linux, BSD, ARM devices, and VMware ESXi environments.
The Windows variant, written in C++, demonstrates advanced persistence and evasion tactics. The RaaS operation maintains a structured affiliate program requiring a $5,000 deposit from newcomers, with affiliates retaining 80% of ransom payments collected from victims.
Affiliates gain access to a dedicated control panel for managing attacks, tracking victims, and monitoring payment status.
AttackIQ researchers identified that as of May 14, 2025, the VanHelsing operation had already infected five organizations across the United States, France, Italy, and Australia, with data from three non-compliant victims published on their leak site.
The security firm has released a comprehensive attack graph emulating the behaviors exhibited by this ransomware, enabling organizations to test their security controls against this emerging threat.
The attack begins with the ransomware’s deployment on compromised systems, followed by initial reconnaissance activities designed to gather system information and ensure the target is viable.
VanHelsing performs sophisticated pre-encryption checks to avoid infecting unintended victims, such as those in specific geographical locations, and implements various anti-analysis measures to evade detection.
Advanced Evasion and Encryption Techniques
VanHelsing employs multiple evasion techniques to remain undetected during its operation.
The malware checks for the presence of debuggers using the IsDebuggerPresent Windows API and employs system location discovery through multiple API calls including GetUserDefaultLCID, GetUserDefaultLocaleName, and GetLocaleInfoA to determine the victim’s geographical location.
Security researchers emulating the ransomware identified that it uses GetEnvironmentStrings and GetNativeSystemInfo to fingerprint systems and potentially search for stored credentials.
Before encryption begins, VanHelsing sabotages recovery options by executing commands to delete Volume Shadow Copies:-
vssadmin Delete Shadows /All /QuietDetection of this behavior can be implemented through monitoring command line activities:-
Process Name == (cmd. exe OR powershell.exe)
Command Line CONTAINS ("vssadmin" AND "Delete Shadows")The ransomware then systematically identifies valuable targets through file system traversal using FindFirstFileW and FindNextFilew Windows APIs.
Files matching specific extensions are encrypted using a combination of ChaCha20 symmetric encryption and ECDH Curve25519, rendering them inaccessible without the attacker’s private key.
.webp)
Once encryption completes, the ransomware modifies the registry to change the desktop wallpaper, displaying the ransom note to victims.
With its sophisticated techniques and growing victim base, security professionals should prioritize validating their defenses against this emerging threat using the newly released emulation tools.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
