VanHelsing Ransomware Builder Exposed on Hacker Forums

The cybersecurity landscape reveal that the VanHelsing ransomware operation has experienced a significant security breach with its source code being leaked publicly.

According to security researchers, this leak occurred after an internal dispute with a former developer who attempted to monetize the code before it was released freely by the ransomware operators.

The leaked materials include critical components of the ransomware infrastructure, though some elements remain missing, potentially limiting immediate exploitation by opportunistic threat actors.

The controversy began when a developer identifying as ‘th30c0der’ attempted to auction the VanHelsing ransomware source code on the RAMP cybercrime forum.

The auction reportedly started at $10,000, suggesting the developer was seeking to profit from their previous work with the ransomware operation.

However, this monetization attempt was quickly undermined when the VanHelsing operators themselves released the code publicly, claiming they were preempting what they described as the developer’s “scam.”

The timing of these events indicates an internal conflict within the ransomware group, with the original operators stating they are already working on a new version dubbed “VanHelsing 2.0.”

This pattern of internal disputes leading to code leaks has been observed in other ransomware operations and often signals a significant disruption to the group’s operational security.

Technical Analysis of the Leaked Source Code

Security researchers examining the leaked materials have confirmed their authenticity while noting several technical aspects of interest.

The leak encompasses the Windows encryptor builder, the affiliate panel used to manage ransomware campaigns, and the data leak blog infrastructure used to pressure victims into paying ransoms.

Notably absent from the leak are the Linux builder component and the operation’s databases, which limits the immediate utility of the code for potential copycats.

Analysis of the source code reveals functionality intended to prevent multiple infections of the same system:

textif (isForce == FALSE)
HANDLE hMutex = CreateMutexA(nullptr, TRUE, "Global\VanHelsingLocker"); 
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
    return EXIT_FAILURE;
}

This mutex implementation prevents the ransomware from executing twice on the same system. The code also shows evidence of lateral movement capabilities through SMB protocols:

textCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) MonitorAndKill, NULL, 0, NULL);
if (isSpreadSmb == TRUE)
{
    net* _net = new net();
    WCHAR temp_path[500];
    WCHAR psexec_path[1500];
    GetTempPathW(500,temp_path);
    swprintf_s(psexec_path, L"%s\psexec.exe", temp_path);
}

Researchers have also discovered that the group was developing an MBR (Master Boot Record) locker, designed to replace the system’s boot record with a lock screen message, rendering infected systems completely unusable until payment.

Implications for the Cybersecurity Landscape

This source code leak follows a concerned pattern seen previously with other ransomware operations including Babuk, Conti, and LockBit.

Historically, such leaks have enabled new threat actors to launch derivative attacks with minimal technical expertise required.

Although the VanHelsing leak is incomplete and would require modifications to be fully operational, it nonetheless provides malicious actors with a foundation they can build upon.

The cybersecurity community is now monitoring for potential new variants based on the leaked code.

The VanHelsing operators’ announcement of a forthcoming “VanHelsing 2.0” version suggests they plan to continue operations despite this setback, potentially with improved security measures to prevent future leaks.

For organizations and cybersecurity professionals, this development underscores the importance of maintaining robust security postures and staying informed about emerging threats that may leverage components of the leaked ransomware builder.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!