A brand-new ransomware threat has emerged from the shadows, and it’s not messing around. The VanHelsing ransomware-as-a-service (RaaS) operation launched March 7, 2025, and has already infected three victims in just two weeks. Talk about hitting the ground running.
This Russian cybercrime project requires new affiliates to cough up a $5,000 deposit. But hey, they get to keep 80% of ransom payments, which is pretty generous in the criminal underworld. The remaining 20% goes to the operators. Like most Russian malware, VanHelsing prohibits attacks on Commonwealth of Independent States countries. No surprise there.
The technical aspects are actually impressive. Written in C++, this ransomware targets Windows, Linux, BSD, ARM, and ESXi systems. It uses ChaCha20 and Curve25519 for encryption, slapping files with the .vanhelsing extension. Smart enough to avoid critical system files, it only encrypts the first 30% of large files to speed things up. Efficient criminals, these ones.
VanHelsing has set its sights on government sectors in the US and France, manufacturing industries, and pharmaceutical companies. Word is they’re eyeing finance and healthcare next. Current victims include two US tech companies and a Texas city, with ransom demands reaching a cool $500,000 in Bitcoin. The ransomware employs a double extortion strategy that includes both encrypting files and stealing sensitive data to maximize leverage against victims. Similar to other infostealer trojans, VanHelsing’s infections can lead to costly downtime exceeding $10,000 per hour for affected businesses.
The “Silent Mode” feature is particularly sneaky. It separates encryption from file renaming to avoid detection by security tools. The ransomware also deletes shadow copies using WMI and can spread through networks via SMB, packing an embedded PsExec.exe. Neat trick.
After infection, victims get the standard treatment: README.txt ransom notes, a changed desktop wallpaper with the RaaS logo, and threats of data leaks if they don’t pay up. Communication happens through a Tor-based chat portal, because privacy matters to criminals too, apparently. Similar to other threat actors, VanHelsing is known to exploit the authentication bypass flaw in VMware ESXi to gain administrative privileges.
With its advanced features and growing sophistication, VanHelsing marks yet another evolution in ransomware tactics. Great. Just what we needed.
