- The researchers of the checkpoint found a new strain of ransomware called Vanhels
- It is an emerging threat, where affiliates must pay fees to enter
- Three organizations have already been victims
A new dangerous variant of ransomware has been identified, capable of encrypting Windows devices, Linux, VMware, Esxi, etc. systems, etc.
The control point for cybersecurity researchers has revealed that malware is called Vanhels and works on a service model (Ransomware-As-A-Service).
Operation Raas began on March 7, 2025 and the encryptor is still under development. So far, several infections have been identified and the researchers have managed to analyze some variants, all on the Windows platform. Between them, there have been progressive updates, it was said, proving that Vanhels is actively – and quickly – developed.
Russian group?
So far, three organizations have been victims of Vanhels, each being invited to $ 500,000 in crypto, in exchange for the decryption key. We do not know if the affiliates also engage in an exfiltration of the data, but it is sure to assume that they do it.
Check Point also said that there seem to be different rules for unpleasantness affiliates. Those who are new results on the cybercriminal scene must pay fees of $ 5,000 to include as an affiliated. The more established names in the scene do not at all pay.
The profits division promotes affiliates, it was explained. This is a split of 80-20, 20% going to ransomware operators.
As for the award, the operation is most likely Russian, because it is not authorized to target organizations in Russia or the Commonwealth of independent states (former Soviet Union, mainly).
“This is difficult to say, but they generally operate under Russian territory,” noted Antonis Terefos, opposite from malware to the control point.
The researchers also suggested that the Russian government does not target cybercriminals, as long as they only attack organizations in the West.
If this is really the case and Vanhels is authorized to function freely, he can quickly become a prolific threat actor, competing with Lockbit or Ransomhub. In addition, it will become obvious that ransomware has become a tool in global power struggles, which we have seen North Korea for years now.
Via The register
