A new ransomware-as-a-service (RaaS) called VanHelsing has emerged as a fast-spreading cyber threat. Launched in March 2025, it quickly infected three organizations within weeks. Its operators, believed to be Russian, offer the service to affiliates for $5,000.
VanHelsing RaaS Targets Multiple Systems
VanHelsing allows affiliates to launch attacks across Windows, Linux, BSD, ARM, and ESXi platforms. Cybersecurity firm CYFIRMA first identified the malware on March 16 after a live attack. The ransomware encrypts files and adds a “.vanhelsing” extension. It also replaces the desktop wallpaper and drops a “README.TXT” ransom note.
One victim reportedly received a $500,000 ransom demand in Bitcoin. VanHelsing uses double extortion, which pressures victims to pay or risk public exposure of their data.
Threat Actors Promote on the Dark Web
Initially, researchers thought VanHelsing only targeted Windows. Soon after, Check Point discovered ads on the dark web offering versions for other systems. The malware’s rapid development signals growing capabilities. Within five days, developers released a newer version with major updates.
Affiliates use a built-in control panel to manage their attacks. This dashboard simplifies campaign operations and offers full oversight.
Developers Equip Affiliates with Advanced Tools
The creators wrote VanHelsing in C++ and built it to support a variety of command-line arguments. Attackers can choose which drives, folders, or files to encrypt. They also gain access to settings for local or network-based encryption.
VanHelsing disables file recovery by deleting Windows Shadow Copies. Its feature list includes encryption modes, self-propagation tools, and debugging support. The creators provide these functions to help affiliates run effective campaigns.
Newcomers must pay $5,000 to join. However, experienced affiliates gain access without an upfront cost. After the victim pays, the affiliate receives 80% of the ransom. The developers collect the remaining 20%.
Cybercriminals Target Critical Sectors
VanHelsing has hit targets in the Government, Manufacturing, and Pharmaceutical sectors. Victims so far include organizations in the US and France. These high-value targets suggest that attackers are pursuing maximum payouts.
To reduce risk, organizations should harden their environments. Strong encryption, multi-factor authentication, and secure configurations are essential. Businesses must also maintain offline backups to protect against total data loss.
