A relatively new ransomware-as-a-service (RaaS) operation, known as VanHelsing, has recently emerged, claiming three victims since its launch on March 7, 2025.
According to a report by Check Point, the RaaS model adopted by VanHelsing allows a broad range of participants to get involved, including experienced hackers and newcomers, with a required deposit of $5,000. Affiliates are entitled to 80% of the ransom payments, while the core operators receive 20%. The only restriction imposed is not to target the Commonwealth of Independent States (CIS).
VanHelsing boasts the ability to target various operating systems, including Windows, Linux, BSD, Arm, and ESXi, and employs the double extortion model, which involves stealing data prior to encryption and threatening to leak the information unless the victim pays the ransom.
The RaaS operators have also introduced a control panel that is compatible with both desktop and mobile devices, featuring dark mode support. Notably, reputable affiliates can join the program for free, while new affiliates are required to pay the $5,000 deposit.
Upon launch, the C++-based ransomware takes measures to delete shadow copies, enumerate local and network drives, and encrypt files with the extension “.vanhelsing.” The desktop wallpaper is then modified, and a ransom note is dropped onto the victim’s system, urging them to make a Bitcoin payment.
The ransomware also supports various command-line arguments, allowing for customization of its behavior, such as the encryption mode, locations to be encrypted, and the ability to spread the locker to SMB servers.
According to CYFIRMA, government, manufacturing, and pharmaceutical companies located in France and the United States have been targeted by the VanHelsing ransomware operation.
Check Point notes that VanHelsing has become a powerful tool for cybercriminals, with a user-friendly control panel and frequent updates. Within just two weeks of its launch, it has already caused significant damage, infecting multiple victims and demanding hefty ransoms.
The emergence of VanHelsing coincides with several developments in the ransomware landscape, including:
- The discovery of new versions of Albabat ransomware that target Linux and macOS, in addition to Windows, and gather system and hardware information.
- The BlackLock ransomware, a rebranded version of Eldorado, has become one of the most active RaaS groups in 2025, targeting various sectors such as technology, manufacturing, construction, finance, and retail.
- BlackLock is actively recruiting traffers to drive the early stages of ransomware attacks, directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems.
- The JavaScript-based malware framework known as SocGholish (aka FakeUpdates) is being used to deliver RansomHub ransomware, attributed to the Water Scylla threat cluster.
- The exploitation of security flaws in Fortinet firewall appliances (CVE-2024-55591 and CVE-2025-24472) by the Mora_001 threat actor to deliver a newly discovered ransomware strain codenamed SuperBlack, a modified version of LockBit 3.0.
- The Babuk2 (aka Babuk-Bjorka) ransomware group has been observed reusing data from earlier breaches associated with RansomHub, FunkSec, LockBit, and Babuk to issue fake extortion demands to victims.
According to statistics compiled by Bitdefender, February 2025 was the worst month for ransomware in history, with a record 962 victims, up from 425 victims in February 2024. Of the 962 victims, 335 have been claimed by the Cl0p RaaS group.
Source Link
