New VanHelsing Ransomware Emerges, Targeting Windows, ARM, and ESXi Systems

A new ransomware-as-a-service (RaaS) operation, named VanHelsing, has emerged, affecting multiple platforms including Windows, Linux, BSD, ARM, and ESXi systems. 

CYFIRMA first reported this new ransomware operation on March 7, and Check Point Research followed up with a detailed analysis yesterday.

VanHelsing operates on a revenue-sharing model where affiliates keep 80% of ransom payments, with the core operators receiving 20%.

 The ransomware, written in C++, uses the ChaCha20 algorithm to encrypt files and features a stealth mode that reduces detection during the attack.

 The group has already targeted victims, including two U.S.-based companies and one in France, with demands exceeding $500,000. Despite some immature code, VanHelsing remains a growing threat to both individual and corporate systems worldwide.

VanHelsing’s ability to affect multiple architectures marks a concerning trend in the evolution of ransomware. It is reportedly capable of infiltrating both personal and enterprise environments, bypassing standard security measures with sophisticated techniques. 

Researchers are advising organizations and individuals to implement the latest security patches and enhance their backup protocols to mitigate potential damage.

While the full scope of the attacks remains under investigation, cybersecurity firms are urging heightened vigilance, as VanHelsing continues to evolve and spread.