Check Point has spotted a fresh ransomware-as-a-service crew in town: VanHelsing, touting a cross-platform locker targeting Microsoft Windows, Linux, and VMware ESXi systems, among others. But so far, only Windows machines have fallen victim, we're told.
Launched on March 7, this RaaS operation has already infected three organizations with ransom demands amounting to $500,000 a victim. Check Point's analysis suggests VanHelsing is a freshly developed ransomware strain, rather than a quick rebrand of existing malware code.
Newcomers looking to try their hand at spreading ransomware and infecting victims need to cough up a $5,000 deposit to join the VanHelsing affiliate program, while seasoned cybercrooks with a solid reputation can skip the fee. The payout split favors affiliates, who pocket 80 percent of ransom payments, leaving the remaining 20 percent for the RaaS operators. It's up to the affiliates to figure out how to get the malware onto a victim's network; think booby-trapped emails and downloads.
So far, VanHelsing's victims have all been Windows users, according to Check Point, despite the RaaS touting cross-platform support, from Microsoft's OS to BSD and including Arm-based devices. Researchers analyzed two distinct Windows samples compiled five days apart. The affiliate program offers a control panel designed to streamline infections, lowering the technical bar for would-be cybercriminals. Development is clearly ongoing, with several incomplete features, unimplemented commands, and quick-fire updates between observed versions.
"The ransomware is really fresh," Eli Smadja, research group manager at Check Point, told The Register Monday.
"For example, they published the first announcement of the creation of the affiliate program on March 7. And then the first sample that we see, it was on the 11th, and we see another one on the 16th.
"In almost 10 days, we found two Windows samples and three victims. Currently, we haven't seen any of the other ones, like Linux or other systems, because we read like some mentions that some affiliates tested some versions as well."
One hard rule applies: No hitting targets in Russia and other nations in the Commonwealth of Independent States. Various ransomware gangs have that red line, we note.
"This is difficult to say, but usually they are operating under Russian territory," Antonis Terefos, a malware reverse engineer at Check Point, told us.
"Recently there were some leaks from the Lockbit affiliate groups, and even the affiliates inside them are actually afraid that they are going to be hired by the Russian government to perform various attacks. That was interesting to see from the affiliate side."
Indeed, by this point it is evident the Russian government is willing to turn a blind eye to cyber-criminals that extort Western organizations, if not actively works with ransomware gangs. Similar state-criminal cooperation has been spotted in China. ®