A sophisticated new ransomware-as-a-service (RaaS) program called VanHelsing has emerged in March 2025, already claiming multiple victims across the United States and France within weeks of its launch.
Written in C++, the ransomware targets multiple operating systems including Windows, Linux, BSD, ARM, and ESXi. When deployed, VanHelsing encrypts files using advanced Curve25519 and ChaCha20 encryption methods, appending the ".vanhelsing" extension to compromised files. The malware also changes desktop wallpapers and leaves ransom notes demanding payments, with one victim reportedly facing a $500,000 demand.
The RaaS program operates on an affiliate model, where experienced cybercriminals can join freely while new affiliates must pay a $5,000 deposit. After successful ransom payments, affiliates receive 80% of the proceeds, with operators keeping 20%. The service provides affiliates with an intuitive control panel for managing attacks.
Technical analysis reveals VanHelsing includes features like selective encryption of drives and directories, SMB network propagation capabilities, and automatic deletion of Windows shadow copies to prevent data recovery. The ransomware specifically avoids targeting systems in Commonwealth of Independent States (CIS) countries, suggesting Russian origins.
"The ransomware accepts multiple command-line arguments that control the encryption process," noted Check Point researchers who analyzed the malware. They also identified rapid evolution between variants compiled just days apart.
Major targets so far include organizations in government, manufacturing, and pharmaceutical sectors. Security experts recommend implementing strong encryption practices and maintaining robust system backups as protective measures against this emerging threat.