VanHelsing Ransomware | Intel 471 Skip to content

VanHelsing Ransomware

Apr 02, 2025
Homepage slide 1

Threat Overview - VanHelsing Ransomware

In March 2025, a new ransomware-as-a-service (RaaS) program named VanHelsing was launched, quickly gaining traction within the cybercriminal community. The program has targeted and infected three victims within two weeks, demanding ransoms of $500,000 in Bitcoin for decryption and data deletion. The program allows affiliates to participate by paying a $5,000 deposit, with these affiliates retaining 80% of ransom payments while the core operators receive 20%. VanHelsing ransomware is cross-platform, capable of infecting Windows, Linux, BSD, ARM, and ESXi systems, and offers an intuitive control panel for managing attacks - notably prohibiting the targeting of entities within the Commonwealth of Independent States (CIS). Researchers have also observed this new variant already evolving in sophistication, meaning its active development and thus the need for up-to-date security measures to defend against this
emerging variant.

VanHelsing Ransomware Hunt Package Collection

TITAN Info Report: Actor VanHelsingRAAS recruits affiliates to join new Vanhelsing
Locker ransomware-as-a-service affiliate program
 

Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Related Hunt Packages

Windows Management Instrumentation (WMI) Call to delete ShadowCopy via WMIC Command

The intent of this Hunt Package is to identify when the wmic command is utilized to delete shadow copies. The provided logic utilizes the Command Line to identify matching activities as to include the wmic command being  executed as a standalone command via wmic.exe or by other applications such as Windows Command Prompt or PowerShell. The wmic command utilizes Windows Management Instrumentation (WMI) to delete the ShadowCopy. This activity is commonly done to disrupt restoration and recovery capabilities.
ACCESS HUNT PACKAGE
 

Remote Services - SMB Share mounts/admin shares/scanning

This use case detects when shares are mapped via \"net.exe\" within command line. More specifically, hidden administrative shares that can be mapped and used to remote file copy malicious files and/or executables.
ACCESS HUNT PACKAGE
 

Registry Modification of CLSIDs Pointing to Abnormal Locations - Potential COM Object Hijacking

In July 2022, Microsoft released a report detailing an attack by Knotweed, deploying the Jumplump and Corelump malwares into the victim environment. The Jumplump modified registry keys of legitimate CLSID COM Object references to load malicious DLLs instead of the default DLLs. The provided query logic targets any CLSID that has been modified in the registry to point to unusual locations, such as temp and user directories. It should be common to observe ProgramData and Program Files directories as these are often updated when programs are installed or updated.
ACCESS HUNT PACKAGE
 

Copying a File to a Hidden Share Directory

This package is designed to capture activity when a command is issued to copy a file to a hidden share to include the C$ file share. This can be indicative of access to a restricted share on another system or an indication of lateral movement attempts.
ACCESS HUNT PACKAGE
 

Shadow Copies Deletion Using Operating Systems Utilities

Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
ACCESS HUNT PACKAGE

Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.