ACG-CYBER SECURITY BULLETIN NR 388: VanHelsing Ransomware: Locking Systems, Stealing Data, Spreading Fast

Posted on April 23, 2025

Reference Number ACG-CSB 04072538

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

A new ransomware threat called VanHelsing emerged in early 2025, operating under the increasingly popular Ransomware-as-a-Service (RaaS) model. This platform allows affiliates, often lower-skilled cybercriminals, to rent out powerful ransomware tools in exchange for a share of the ransom. VanHelsing is particularly dangerous due to its cross-platform capabilities, double extortion tactics, and a well-structured affiliate model that splits profits between the operator and attackers. With its stealthy behavior and effective encryption mechanisms, VanHelsing is rapidly gaining recognition in the cybersecurity community.

One of the main concerns surrounding VanHelsing is how easily it can be adopted by a wide range of cyber criminals. RaaS is a criminal business model where ransomware creators rent out their tools to other hackers, similar to how subscription services work. Instead of entertainment, attackers pay to access ready-made ransomware, complete with instructions, payment systems, and even support. This makes it easier for less-skilled criminals to launch attacks. VanHelsing ransomware is a real-world example of RaaS, allowing more attackers to carry out data theft and extortion with minimal effort. Affiliates pay a hefty amount to join, after which they gain access to ransomware builds capable of attacking Windows and Linux. This accessibility increases the number of potential attackers and victims, making the ransomware harder to track and prevent. Furthermore, it leverages double extortion, stealing data before encrypting it, which increases the pressure on victims to pay, as their sensitive files could be leaked even if backups are available.

A midsized healthcare provider falls victim after an employee clicks on a phishing email containing a malicious link. Within minutes, the ransomware spreads across internal servers, encrypting patient records and operational files. Sensitive data is exfiltrated before the attack locks down the systems. The attackers leave behind a ransom note demanding a hefty amount of Bitcoin, threatening to release the stolen data if payment is not made within 72 hours. The organization faces an urgent crisis, balancing recovery efforts with legal and reputational consequences.

In another case, a logistics company running critical infrastructure on Linux servers experiences a sudden operational freeze. The attack is traced back to an unpatched remote access service exploited by VanHelsing. Customer data, shipment schedules, and financial records are encrypted and exfiltrated. Though backups exist, the threat of public exposure forces the company into high-level negotiations while scrambling to restore services.

To stay safe from VanHelsing and similar ransomware attacks, it’s important to take some basic but effective steps. First, make sure that files are backed up regularly and stored in a safe place, not connected to the main computer or network. Teach everyone in the organization how to spot suspicious emails, especially ones with suspicious links or attachments. It’s also wise to limit who has access to important systems and to keep an eye out for anything unusual on your network. If something goes wrong, having a clear plan in place will help you respond quickly and reduce the damage.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of VanHelsing Ransomware attacks:

Back up important files regularly and store a copy somewhere offline, like on a USB drive or external hard drive. This helps you recover your data without paying the ransom if VanHelsing locks your files or deletes online backups;
VanHelsing often spreads through phishing emails, so avoiding suspicious messages helps stop the attack before it starts. Be careful with emails; don’t click on strange links or download attachments from people you don’t know;
Install antivirus software, keep it updated, and run regular scans on your devices. An antivirus can catch VanHelsing before it encrypts your files or causes damage; and
Have a simple plan ready in case your computer is attacked, including knowing who to call and where your backups are stored. Being prepared helps you respond quickly, reduce damage, and recover your data without needing to pay the ransom.

For additional information, please refer to the following websites:

https://fieldeffect.com/blog/new-vanhelsing-raas
https://www.cyfirma.com/news/weekly-intelligence-report-21-mar-2025/
https://industrialcyber.co/ransomware/vanhelsing-ransomware-uses-double-extortion-on-us-french-government-manufacturing-pharma-sectors/

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Officer-In-Charge, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.