A new ransomware-as-a-service operation called VanHelsing emerged on March 7, 2025, quickly claiming at least three victims. It supports attacks on Windows, Linux, BSD, ARM, and ESXi systems, with affiliates retaining 80% of ransoms after a $5,000 deposit. The group prohibits targeting entities in the Commonwealth of Independent States.
VanHelsing represents a sophisticated evolution in ransomware deployment, first observed on March 7, 2025. Operating as a Ransomware-as-a-Service (RaaS) platform, it lowers barriers for affiliates by requiring only a $5,000 deposit for access to its tools and infrastructure. Affiliates keep 80% of collected ransoms, fostering rapid scaling and widespread attacks.
The operation's broad compatibility sets it apart, targeting Windows, Linux, BSD, ARM architectures, and ESXi virtualization environments. This multi-platform support expands the potential victim base significantly beyond typical Windows-focused threats. Within two weeks of its debut, VanHelsing claimed at least three successful breaches, with ransom negotiations reaching $500,000 in one case.
Technically, the ransomware is a C++ binary designed for flexibility and resilience. It creates a mutex named “Global\VanHelsing” to avoid concurrent executions, bypassable via the –Force parameter. Process priority is set high for faster encryption, adjustable with –no-priority for stealth. Encryption uses unique random keys and nonces per file, secured with ChaCha20 stream cipher and an embedded Curve25519 public key, ensuring decryption requires the operators' private key.
For efficiency, large files—such as those over 1 GB or database assets—are encrypted only to 30%, processed in 1 MB chunks. The –Silent mode splits operations into phases: encryption first, then renaming files with .vanhelsing extension, reducing detection risks from endpoint security tools.
Lateral movement enhances its threat, scanning SMB servers, enumerating shares (avoiding critical ones like NETLOGON and sysvol), and using bundled psexec.exe for remote execution. It deletes Windows Volume Shadow Copies via WMI queries to hinder recovery. Two variants, compiled five days apart, indicate ongoing development based on feedback and defensive responses.
Mitigation emphasizes offline backups, network segmentation, and monitoring for behaviors like shadow copy deletion and anomalous SMB traffic.
