The cybersecurity landscape has recently been shaken by the launch of a ransomware-as-a-service (RaaS) operation named VanHelsing, which has already targeted three victims since its inception on March 7, 2025. The ransoms demanded by VanHelsing have reached staggering amounts, totaling as high as $500,000.
This model facilitates participation from a diverse range of individuals, from seasoned hackers to newcomers, who can start with a minimal entry fee of $5,000. According to a report from Check Point, affiliates retain 80% of the ransom payments while the core operators claim the remaining 20%. Importantly, the VanHelsing RaaS operation prohibits targeting the Commonwealth of Independent States (CIS).
VanHelsing’s capabilities extend across multiple operating systems, including Windows, Linux, and BSD among others. The operation employs a double extortion strategy, whereby it first steals data before proceeding to encrypt it, leveraging threats of information leaks to pressure victims into complying. A user-friendly control panel is also in place, optimized for both desktop and mobile devices.
Crucially, the unique structure of VanHelsing allows reputable affiliates to join at no cost, while new entrants must provide a $5,000 deposit to utilize the service. Once the ransomware is executed, it uses C++ to delete shadow copies, identify both local and network drives, and encrypt files, marking them with the extension “.vanhelsing.” Subsequently, it alters the desktop wallpaper and deposits a ransom note that outlines payment procedures in Bitcoin.
Additional functionality includes various command-line arguments that control the ransomware’s behavior, such as specifying encryption modes and managing file locations. According to CYFIRMA, entities in government, manufacturing, and pharmaceuticals across France and the United States have already fallen victim to these attacks.
Check Point states that with the combined efficacy of its user-friendly panel and regular updates, VanHelsing is quickly becoming a formidable tool for cybercriminals, having already inflicted substantial damage within a remarkably short time frame.
The onset of VanHelsing highlights significant trends in the evolving ransomware environment. Recent reports reveal new adaptations of existing malware, expansions into various operating systems, and heightened recruitment efforts among RaaS groups. Notably, there’s been an alarming uptick in remote encryption attacks, where actors compromise unmanaged endpoints to encrypt data on managed systems.
Sophos telemetry indicates a 50% year-over-year increase in remote encryption incidents, demonstrating that ransomware groups are increasingly exploiting security gaps within organizations. Chester Wisniewski, a director at Sophos, asserts that these vulnerabilities become prime targets for malicious actors, necessitating a proactive approach in cybersecurity vigilance.
The emergence of VanHelsing’s operations aligns with recent data from Bitdefender, revealing that February 2025 marked the worst month for ransomware incidents on record, impacting 962 victims—a sharp increase from the 425 incidents reported the previous year. Included among these was a significant number of claims attributed to the Cl0p RaaS group.
In summation, the rapid rise of ransomware operations like VanHelsing underscores the critical need for businesses to adopt robust cybersecurity measures. The attack vectors utilized—reflecting tactics from the MITRE ATT&CK framework, including initial access, privilege escalation, and data exfiltration—indicate a sophisticated level of operation that should not be underestimated.
