TZUTC: -0500   
   MSGID: 670.consprcy@1:2320/105 2c4944e7   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   This dangerous new ransomware is hitting Windows, ARM, ESXi systems   
      
   Date:   
   Tue, 25 Mar 2025 14:04:00 +0000   
      
   Description:   
   VanHelsing variant works across different platforms, including Windows and   
   Linux.   
      
   FULL STORY   
      
   A new dangerous ransomware variant has been spotted, capable of encrypting   
   Windows devices, Linux, VMware, ESXi systems, and more.    
      
   Cybersecurity researchers Check Point revealed the malware is called   
   VanHelsing, and works on a service model (Ransomware-as-a-Service).    
      
   The RaaS operation kicked off on March 7, 2025, and the encryptor is still   
   under development. So far, multiple infections were spotted, and the   
   researchers managed to analyze a few variants, all on the Windows platform.   
   Between them, there were incremental updates, it was said, proving VanHelsing   
   is being actively - and quickly - developed.    
      
   Russian group?   
      
   So far, three organizations fell victim to VanHelsing, each being asked for   
   $500,000 in crypto, in exchange for the decryption key. We dont know if the   
   affiliates also engage in data exfiltration, but its safe to assume they do.    
      
   Check Point also said there appears to be different rules for wanna-be   
   affiliates. Those that are newcomes to the cybercriminal scene need to pay a   
   $5,000 fee to be included as an affiliate. More established names in the    
   scene dont have to pay at all.    
      
   Splitting the proceeds favors the affiliates, it was further explained. Its    
   an 80-20 split, with 20% going to the ransomwares operators.    
      
   As for attribution, the operation is most likely Russian, since it is not   
   allowed to target organizations in Russia or the Commonwealth of Independent   
   States (former Soviet Union, basically).    
      
   "This is difficult to say, but usually they are operating under Russian   
   territory," noted Antonis Terefos, a malware reverse engineer at Check Point.    
      
   The researchers also hinted the Russian government does not target   
   cybercriminals, as long as they only attack organizations in the West.    
      
   If that really is the case, and VanHelsing is allowed to work freely, it can   
   quickly become a prolific threat actor, rivaling the likes of LockBit, or   
   RansomHub. Furthermore, it will become obvious that ransomware has become a   
   tool in global power struggles, something weve seen North Korea doing for   
   years now.    
      
    Via The Register   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/this-dangerous-new-ransomware-is-hittin   
   g-windows-arm-esxi-systems   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426