VanHelsing RaaS Launch: A Menacing Trio of Victims, $5K Entry Fee, Multi-OS Capability, and Double Extortion Tactics

Cybersecurity, Insights /

March 24, 2025 – A new and alarming ransomware-as-a-service (RaaS) operation has emerged, named VanHelsing, which has already claimed three victims since its launch on March 7, 2025. With an entry fee of just $5,000, this model invites a broad spectrum of participants—from seasoned hackers to newcomers—into its deadly folds.

Understanding the VanHelsing RaaS Model

According to a report by Check Point, the affiliates involved in the VanHelsing scheme can keep 80% of the ransom payments while the core operators retain the remaining 20%. Notably, the only restriction imposed on affiliates is that they cannot target victims within the Commonwealth of Independent States (CIS).

This new ransomware is not just limited to a specific operating system; it boasts compatibility with a variety of platforms, including Windows, Linux, BSD, Arm, and ESXi. Adding to its nefarious capabilities, VanHelsing utilizes a double extortion model—stealing valuable data before encryption and threatening to leak it unless the victim pays a ransom.

User-Friendly Features for Criminals

One of the standout features of VanHelsing is its user-friendly control panel. It operates seamlessly on both desktop and mobile platforms, complete with support for dark mode. This accessibility is set to empower affiliates considerably.

user-friendly-features

The Intricacies of the VanHelsing Attack

When the C++-based ransomware is deployed, it takes critical steps to inflict damage:

Deletes shadow copies to hinder recovery efforts.
Enumerates local and network drives to identify targets.
Encrypts files, appending the .vanhelsing extension to them.
Modifies the desktop wallpaper and drops a ransom note instructing the victim to make a Bitcoin payment.

VanHelsing also allows for various command-line arguments that dictate specific behaviors, such as encryption modes and locations to encrypt. It can even expand to SMB servers while offering a “Silent” mode to avoid detection.

Target Industries and Victims

Reports from CYFIRMA indicate that government, manufacturing, and pharmaceutical companies located in France and the United States have already been targeted. Check Point noted that VanHelsing is quickly becoming a potent tool for cybercriminals, leading to significant damage within just two weeks of its launch.

The Ransomware Landscape: Trends and Concerns

VanHelsing’s emergence is part of a troubling trend within the ransomware sphere:

Historically high rates of ransomware attacks continue, with records showing a peak of 962 victims in February 2025 alone.
Instances of double extortion have surged, compounded by the rise of remote encryption attacks that target vulnerable endpoints.
Statistics from Bitdefender reveal that the Cl0p RaaS group claimed 335 of the victims referenced in the recent surge—demonstrating a broader pattern of aggressive ransomware deployment.

Conclusion

The rise of VanHelsing serves as a stark reminder of the evolving landscape of cyber threats. With its combination of accessibility and lethal capability, this RaaS model is likely to entice many more affiliates into its orbit. Organizations across sectors must remain vigilant against such threats, employing robust security measures and maintaining heightened awareness of potential vulnerabilities.

Call to Action: Stay informed about the latest ransomware threats and cybersecurity best practices by subscribing to industry newsletters and participating in webinars.

References

Check Point – VanHelsing New RaaS in Town
CYFIRMA – VanHelsing Ransomware Report
Bitdefender Threat Report March 2025

Leave a Comment

Your email address will not be published. Required fields are marked *

en_USEN
bg_BGBG en_USEN