A new ransomware-as-a-service (RaaS) operation known as VanHelsing has recently emerged in the cybercriminal landscape, with three victims already falling prey to its attacks since its launch on March 7, 2025. The RaaS model of VanHelsing allows a diverse range of participants, from seasoned hackers to novices, to get involved by requiring a $5,000 deposit. Affiliates are entitled to keep 80% of the ransom payments, while the core operators retain 20%.
According to a report by Check Point, VanHelsing prohibits targeting the Commonwealth of Independent States (CIS), setting a rule for its affiliates. The ransomware program offers the capability to target a variety of operating systems, including Windows, Linux, BSD, Arm, and ESXi. Additionally, it operates on the double extortion model by stealing data before encrypting it and threatening to leak the information unless the victim complies with the ransom demands.
One of the distinctive features of VanHelsing is the provision of a control panel that is user-friendly and compatible with both desktop and mobile devices, even supporting dark mode. Reputable affiliates can join the program for free, while new affiliates are required to pay a $5,000 deposit to access the operation.
Once deployed, the C++-based ransomware initiates a series of actions such as deleting shadow copies, encrypting files with the “.vanhelsing” extension, modifying the desktop wallpaper, and leaving a ransom note prompting the victim to make a Bitcoin payment. The ransomware also supports various command-line arguments to control its behavior, from encryption modes to targeted locations and operational modes like spreading the locker to SMB servers.
The ransomware has specifically targeted government, manufacturing, and pharmaceutical companies based in France and the United States, as revealed by cybersecurity firm CYFIRMA. Check Point noted that VanHelsing has quickly become a powerful tool for cybercriminals, causing significant harm within two weeks of its launch by infecting multiple victims and demanding substantial ransoms.
The emergence of VanHelsing aligns with other developments in the ransomware landscape, including the evolution of Albabat ransomware to target Linux and macOS systems, the rise of BlackLock ransomware as a prominent RaaS group, and the utilization of malware frameworks like SocGholish to distribute ransomware. Furthermore, threat actors are exploiting vulnerabilities in security systems like Fortinet firewall appliances to deploy newly discovered ransomware strains.
In February 2025, ransomware incidents reached a record high, affecting 962 victims, with the Cl0p RaaS group claiming 335 victims, as reported by Bitdefender. A concerning trend is the increase in remote encryption attacks, where attackers compromise an unmanaged endpoint to encrypt data on managed machines. Organizations are urged to enhance their cybersecurity measures and actively monitor suspicious activities to protect against ransomware threats.
As the ransomware landscape continues to evolve and cybercriminals adopt sophisticated tactics, vigilance and robust cybersecurity practices are essential for organizations to safeguard their data and systems from malicious attacks.