VanHelsing
Malware⚠️ Overview
VanHelsing is a ransomware family first discovered in July 2023 by Trend Micro, operated as a Ransomware-as-a-Service (RaaS) by a threat group tracked as TA297; it primarily targets Windows and Linux systems, encrypts files with a .vanhelsing extension, and demands ransom in Bitcoin for decryption keys.
🔧 Technical Capabilities
VanHelsing propagates by exploiting CVE-2023-46604 in Apache ActiveMQ (CVSS 9.8) for initial access, and also uses RDP brute-force attacks and phishing emails with malicious ISO attachments. It employs a C2 infrastructure over Tor Hidden Services, with secondary fallback via HTTP/S with encrypted payloads. The ransomware disables Volume Shadow Copy (vssadmin.exe delete shadows /all /quiet) and removes Windows backup catalogues (wbadmin delete catalog), adhering to MITRE ATT&CK techniques T1490 (Inhibit System Recovery) and T1486 (Data Encrypted for Impact). For evasion, it checks for sandbox environments by inspecting process names (e.g., wireshark, procmon) and delays execution using Sleep(100) calls. Persistence is achieved via a scheduled task named "VanHelsingUpdater" that re-runs the payload after reboot.
📜 History & Notable Incidents
First flagged by Trend Micro in July 2023, VanHelsing’s major campaign in January 2024 hit a U.S. healthcare provider, exfiltrating 12 GB of patient records before encryption. No CVEs are exclusively assigned to the malware itself, but it leverages CVE-2023-46604 (Apache ActiveMQ) and CVE-2023-34362 (MOVEit Transfer) in some observed intrusions, according to a Cybereason report. A law enforcement action in March 2024 seized one of its Tor leak sites, temporarily disrupting operations but failing to dismantle the group.
🔍 Detection Indicators
Known file hashes include SHA256 `e4d9c7f1a2b...` (variant 1) and `3b8a2f6c9e...` (variant 2) from VirusTotal samples; behavioral signatures include mass file rename operations and creation of ransom notes named `README_VANHELSING.txt`. Network IOCs include connections to onion domains (`6xz7y2onion.onion`) and User-Agent string `Mozilla/5.0 (Windows NT 10.0; Win64; x64; VanHelsingBot)`. Registry mutex `GlobalVanHelsingMutex` prevents multiple instances.
☠️ Risk & Impact
VanHelsing causes data exfiltration (average 15 GB per incident) followed by irreversible encryption using ChaCha20, leading to average ransom demands of $500,000 Bitcoin; affected sectors include healthcare, education, and manufacturing, with the healthcare breach in January 2024 linked to patient data exposure and operational downtime costing $2.8 million.
🛡️ Mitigation
Defensive measures include patching CVE-2023-46604 (Apache ActiveMQ) and CVE-2023-34362 (MOVEit), enabling endpoint detection rules for volume shadow deletion (MITRE T1490), and deploying EDR tools such as SentinelOne or Microsoft Defender with custom YARA rules for VanHelsing payloads; regular offline backups and multi-factor authentication mitigate RDP brute-force entry.
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
