VanHelsing: our CTI experts publish their technical analysis

It no longer needs to be proven: the RaaS (Ransomware as a Service) system is flooding the cyber sphere. Whether targeted or opportunistic, these threats are extremely effective. Some victims prefer to pay a ransom rather than implement a real detection and remediation policy; and as long as there is a market, there will be new actors wanting to take part in it.

This is the representative example of the VanHelsing RaaS, which we identified during our threat monitoring. This “new” actor recently released its ransomware and we propose to study it through this article.

As we mentioned in a previous publication on LinkedIn, we were able to obtain 2 samples within a few days of each other.

99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98  : March, 11th 2025

86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17: March, 16th 2025

During our initial analysis, these artifacts were not yet known by conventional static engines.

However, we were able to identify them using our GLIMPS Malware analysis engines.

Our XaiCombined explainability engine even pointed out the functions related to encryption:

We then undertook to go a little further to understand the behavior of our samples.

Sample Comparisons

Sha256	9995[…]fd98	86d8[…]0e17
Type	executable/windows/pe32	executable/windows/pe32
Magic	PE32	PE32
Size	736.77 kB	1.48 MB
EntryPoint	0x0003F81B	0x000432F1
TimeStamp	Tue Mar 11 07:47:59 2025	Sun Mar 16 20:47:56 2025
Sections	.text 1 .data .rdata .reloc	.text 1 .data (with an embedded PE!) .rdata .reloc

Apart from the types/magic, these samples do not appear to have any elements in common.

However, our GLIMPS Audit concept-code identification product indicates that there are indeed functions that are similar!

It also identifies similar functions between our 2 samples as well as certain functions belonging to public libraries. Here libsodium which is an “easy-to-use software library that provides a wide range of cryptographic operations”… <Spoiler> these are the ChaCha20 / Poly1305 encryption and hashing functions. </Spoiler> The main difference between these samples lies in the fact that 86d8…0e17 embeds a psexec binary in the .data section, to provide it with more functionalities.

For the rest of this analysis, we will focus on sample 9995…fd98.

A bit of static analysis

Import Directory Table

We can get a first idea of some functionalities embedded by this ransomware by looking at its import table:

[NETAPI32.dll]	Network management API
[WS2_32.dll]	Windows socket provider. A library for managing network sockets. <spoiler> used during SMB enumeration</spoiler>
[SHELL32.dll]	A library that provides Windows shell functionalities
[ADVAPI32.dll]
[USER32.dll]
[KERNEL32.dll]

In this case, the file has capabilities to interact with the target system as well as through the network.

Character Strings

Since the binary is neither obfuscated nor packed, it is relatively easy to find elements that help with qualification.

Command Line Help

VanHelsing Ransomeware usage -h for help -v for verbose -sftpPassword for spread over sftp -smbPassword for spread over smb -bypassAdmin for locking the target without admin privileges -noLogs for stop logging -nopriority for stop CPU and IO priority’ –system: [*] Running as a system –Driver: [*] Target driver :  %s –Directory: [*] Target Directory :  %s –File: [*] Target file :  %s –Force: [*] Force flag presented , multiple process allowed’ –no-autostart: [*] no autostart flag presented , autostart skipped –no-priority: [*] no priority flag presented , priority skipped –no-wallpaper: [*] no wallpaper flag presented , wallpaper skipped –no-local: [*] no local flag presented , local locking skipped’ –no-mounted: [*] no mounted flag presented , skipping mounted check –no-network: [*] no network flag presented , skipping network check –no-logs: [*] no logs flag presented , now not logging –no-admin: [*] no admin flag presented , skipping admin check

Ransom note

Other elements

Encryption key	9ba9e6fb08e013dd3e30f03564295a761204a33385e59d08681e4d2d89f41a32
Extension	%s.vanlocker
Ransom note name	%s\README.txt

Identification of functions of interest

File Iteration

As is customary in ransomware, we find an iteration loop of elements to encrypt.

 

In this case, here we have an iteration function. If the iterated element is a file then it is encrypted, if it’s a directory, then this same function is used to iterate through it which allows managing directory depth. Once the directory is encrypted, a ransom note in text format is dropped: README.txt

Network Drive Iteration: SMB Spread

At offsets 0x409C80 & 0x40A240 we find an SMB Spread functionality. The malware will perform an enumeration of available and reachable SMB assets on the local network (in the same address range as the machine) and will attempt to encrypt them remotely.

Encryption

GLIMPS Audit allowed us to generate an IDC script that renames the functions identified during its import into IDA.

This allows us to easily spot the functions of interest including the encryption loop which is located at offset 0x408370.

The file is encrypted with a randomly generated symmetric key. This key and the nonce are encrypted with a public key (passed via parameter a3 of the function) then they are written at the beginning of the encrypted file.

Encryption Key Verification

The public key used in the encryption mechanism, 9ba9e6[…]f41a32, is verified at the beginning of the ransomware execution.

The function iterates over each character of the string to verify that it is indeed part of a defined charset.

Drop README.txt and wallpaper setup

The ransom note is dropped in each new folder that is iterated through.

Once the entire encryption process is completed, the wallpaper as well as the default icon are changed in the registry in favor of the VanHelsing logo.

In this case, static analysis is sufficient to understand our malware’s behavior. However, we chose to perform a dynamic analysis that will help substantiate certain elements already identified. A quick look at the event logs (EVTX) confirms what we already knew.

The program starts by creating a mutex:

Then it forks a thread that handles executing the SMB Spread: our dynamic execution did not allow the use of a virtual network. We therefore only see connection attempts to port 445 (WinSMB service) of IP addresses belonging to the same subnet 192.168.2.0/24

In parallel, a loop for directory iteration / ransom note writing / file encryption is set up:

Our static analysis allows us to deduce the following behavioral graph (confirmed by dynamic analysis).

 

The analysis we just conducted allows us to affirm that we are facing a ransomware from the VanHelsing family.

It embeds some classic functionalities whose presence within the same file betrays ransomware characterization (file iteration, file encryption, ransom note dropping, wallpaper change…).

It uses a modern hybrid encryption system (symmetric encryption and keys and nonce encrypted asymmetrically) based on a chacha20 algorithm combining speed and robustness. This is notably the case for other ransomware like Lockbit or Nitrogen/LukaLocker.

It also embeds other interesting functionalities like the SMB Spread capability which does not exist in other ransomware families.

However, the analyzed samples seem to be only “work in progress” versions. Indeed, we find in the help references to FTP spread while there is no code portion that executes this. Moreover, the binary comes with a whole set of messages that are generally used during debugging phases.

Finally, we find no obfuscation or shadow copy deletion functionalities.

The recent leak/resale of the ransomware source code and builder will probably allow us to substantiate this analysis when we have been able to appropriate it. In the meantime, we will be able to detect and identify these new threats when they surface.

 

APPENDIX 1: Observables

Ransomware:

– 99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98
– 86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

Showcase site links:

– http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion
– http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion
– http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion

Payment point links:

– http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion
– http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion
– http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion
– http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion

Registry keys:

– Software\Classes\.vanlocker\DefaultIcon

Debug file:

– C:\Users\ADMINI~1\AppData\Local\Temp\2\74edcda8581f9636c83352ad946821b0\1-locker\Release\1-locker.pdb\x00

Public key used for asymmetric encryption of encryption keys and nonce:

– 9ba9e6fb08e013dd3e30f03564295a761204a33385e59d08681e4d2d89f41a32

 

APPENDIX 2: External Links

https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/