VanHelsing is a ransomware-as-a-service operation that targets multiple platforms using sophisticated encryption algorithms and a double extortion scheme. AttackIQ has developed an emulation-based attack graph to help organizations validate their security controls against VanHelsing’s tactics and techniques. #VanHelsing #AttackIQ
Keypoints
- VanHelsing ransomware emerged in March 2025, targeting Windows, Linux, BSD, ARM devices, and VMware ESXi environments with a double extortion model.
- The ransomware encrypts files using Curve25519 and ChaCha20 algorithms, appending the “.vanhelsing” extension to affected files.
- Affiliates join the RaaS by paying a $5,000 deposit and keep 80% of ransom payments, using a dedicated control panel for attack management.
- The ransomware deletes shadow copies and discovers network shares to inhibit recovery and facilitate lateral movement.
- AttackIQ released an attack graph emulating VanHelsing’s behaviors to help organizations test detection and prevention controls.
- Key MITRE ATT&CK techniques used include Ingress Tool Transfer, System Recovery Inhibition, and various system and network discovery methods.
- The attack graph aims to help security teams evaluate and improve their defenses against opportunistic ransomware threats like VanHelsing.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Used to download malicious payloads to memory and disk for testing network and endpoint controls (‘download to memory and save to disk in two separate scenarios’).
- [T1497] Virtualization/Sandbox Evasion – Executes IsDebuggerPresent API to detect if a debugger is attached and evade sandbox environments (‘executes the IsDebuggerPresent Windows API’).
- [T1614] System Location Discovery – Retrieves locale and system region information from Windows APIs such as GetUserDefaultLCID, GetUserDefaultLocaleName, and GetLocaleInfoA (‘retrieves user default locale and country locale code’).
- [T1082] System Information Discovery – Gathers environmental variables and system info through Windows APIs including GetEnvironmentStrings and GetNativeSystemInfo (‘discover environment variables and system info’).
- [T1106] Native API – Creates new processes for payload execution via CreateProcessA Windows API (‘executes the CreateProcessA Windows API call’).
- [T1490] Inhibit System Recovery – Deletes volume shadow copies using wmic command to prevent file recovery (‘executes the wmic shadowcopy delete command’).
- [T1120] Peripheral Device Discovery – Uses GetLogicalDriveStringsW and GetDriveTypeW APIs to identify physical drives on the system (‘retrieves information about system’s physical drives’).
- [T1018] Remote System Discovery – Scans local network for systems with open port 445 to identify remote targets (‘scan local network for remotely accessible systems’).
- [T1135] Network Share Discovery – Executes net share command to list available network shares (‘executes the net share command to list network shares’).
- [T1112] Modify Registry – Changes registry keys to modify desktop wallpaper as part of the attack’s impact (‘modifies HKEYCURRENTUSERControl PanelDesktop’).
- [T1083] File and Directory Discovery – Enumerates filesystem using FindFirstFileW and FindNextFileW to locate files for encryption (‘enumerate the file system’).
- [T1486] Data Encrypted for Impact – Encrypts files in place matching targeted extensions using ChaCha20 and Curve25519 algorithms (‘file encryption routines used by VanHelsing ransomware’).
Indicators of Compromise
- [File Extension] Encrypted files – “.vanhelsing” appended to encrypted files indicating VanHelsing infection.
- [Command Line Activity] Suspicious commands – Examples include “wmic shadowcopy delete” for deleting shadow copies and “net share” for network share enumeration.
- [API Calls] Use of Windows APIs such as IsDebuggerPresent, GetEnvironmentStrings, and CreateProcessA as behavioral indicators of compromise.
Read more: https://www.attackiq.com/2025/05/15/emulating-vanhelsing-ransomware/
Views: 19