A new ransomware-as-a-service (RaaS) affiliate program, likely developed by Russian cybercriminals, is targeting US companies.
VanHelsing RaaS, first detected on March 16th and detailed by researchers at Cyfirma and Check Point, targets US and French companies in the governmental, manufacturing, and pharmacy sectors.
After a device is infected, the attackers change the wallpaper and inform victims that their devices have been compromised with a readme.txt file.
The victims are asked to pay the demands in bitcoin, and a warning states that using third-party decryption tools will result in permanent data loss.
The new RaaS appears to be in the early stages of development as it lacks some functionality.
Check Point researchers, who examined two versions of the malware, claim that it is actively being updated and new arguments are likely to be introduced in future versions.
The malware is written in C++ and is primarily aimed at Windows users, though cybercriminals behind it say that it provides more offerings targeting Linux, BSD, ARM, and ESXi systems.
According to Check Point, VanHelsing accepts multiple command-line arguments that control the encryption process, such as whether to encrypt network and local drives or specific directories and files. This enables attackers to fine-tune the encryption process.
To use the malware, cybercriminals ask for a $5000 deposit and earn 80% of the ransomware earned.
However, cybercriminals prohibit targeting the so-called Commonwealth of Independent States, which includes Russia and some of its neighbors. Such behavior is typically observed in Russian cybercrime.
The malware has already claimed three victims demanding $500,000 ransom in bitcoin, Check Point claims in its blog post.
Your email address will not be published. Required fields are markedmarked