- Check Point researchers found a new ransomware strain called Vanhelsing
- It is an emerging threat, where affiliates must pay a rate to enter
- Three organizations were already victims
A new dangerous ransomware variant has been seen, capable of encrypting Windows, Linux, VMware, ESXI Systems and more.
Cybersecurity researchers, Check Point revealed that the malware is called Vanhelsing and works in a service model (ransomware as a service).
Operation RAAS began on March 7, 2025, and the encrypter is still under development. Until now, multiple infections were seen, and the researchers managed to analyze some variants, all on the Windows platform. Among them, it was said that there were incremental updates, demonstrating that Vanhelsing is actively and quickly developed.
Russian group?
Until now, three organizations were victims of Vanhelsing, each of which were requested $ 500,000 in cryptography, in exchange for the deciphered key. We do not know if the affiliates also participate in the exfiltration of data, but it is safe to assume yes.
Check Point also said there seems to be different rules for affiliates who want. Those who are newly arrived at the cybercriminal scene must pay a $ 5,000 rate to be included as an affiliate. The most established names in the scene do not have to pay at all.
The income division favors affiliates, more thoroughly explained. It is an 80-20 division, with 20% to ransomware operators.
As for the attribution, it is very likely that the operation will be Russian, since it is not allowed to address organizations in Russia or in the Commonwealth of independent states (the former Soviet Union, basically).
“This is difficult to say, but they are generally operating under Russian territory,” said Antonis Terefos, an inverse malware engineer at the control point.
The researchers also hinted that the Russian government does not address cybercriminals, as long as they only attacked organizations in the West.
If that is really the case, and it is allowed that Vanhelsing will work freely, it can quickly become a prolific threat actor, rivaling with Lockbit or Ransomhub. In addition, it will be obvious that ransomware has become a tool in global power struggles, something we have seen North Korea do for years.
Through The registration
