VanHelsing is a Ransomware-as-a-Service (RaaS) group that emerged in March 2025.
It allows affiliates (other cybercriminals) to rent the ransomware and share profits with the operators. It represents a new wave of professionalized cyber extortion operations, combining advanced cryptography, cross-platform targeting, and a structured affiliate business model.
———————————————————————————————————————————————————————————–
VanHelsing is a new, advanced, and rapidly growing ransomware operation, notable for its multi-platform capability, strong encryption, and professionalized affiliate program, making it one of the more serious threats of 2025. Ransomware is an elite-grade cyber extortion threat — highly dangerous due to its technical sophistication, operational reach, and aggressive business model. Organizations without resilient backups, network segmentation, and active monitoring are at critical risk.
———————————————————————————————————————————————————————————–
The Targeted Device :
Windows, Linux, BSD, ARM, VMware ESXi.
———————————————————————————————————————————————————————————–
Encryption Standard:
ChaCha20 (symmetric) + Curve25519 (asymmetric).
———————————————————————————————————————————————————————————–
Encryption Extension:
.vanhelsing
.vanlocker
———————————————————————————————————————————————————————————–
Vanhelsing Ransomware Features:
-
Multi-platform support
-
CIS targeting restriction
-
Double extortion
-
Shadow copy deletion
-
Network drive encryption
-
ChaCha20 + Curve25519 encryption
-
Wallpaper replacement
-
Bootkit
-
Schedule Task
-
DLL – side loading
-
Mutex creation
-
Process Hollowing
-
WMI & PowerShell persistence
-
Command-line options (silent mode, selective encryption, chunked mode, network drive spreading, stealthier renaming)
-
TOR + Tox communication channels
-
Leak site publishing
-
Persistence techniques
-
Encryption Extension ( .vanhelsing, .vanlocker )
