What is the VanHelsing ransomware?
First reported earlier in March 2025, VanHelsing is a new ransomware-as-a-service operation.
Oh, so it's a relatively new player on the malware scene, then. Why the concern?
At least three victims of VanHelsing have already been identitified, and a number of variants of the malware have been analysed by security researchers. The fact that VanHelsing runs as a RaaS operation means that the problem could become significantly worse.
Remind me again, what is RaaS?
RaaS stands for ransomware-as-a-service. The criminals behind VanHelsing lease out their tools and infrastructure to "affiliates" who will launch the attacks, and then share a slice of the money they extort with the VanHelsing operators.
Can anyone become a VanHelsing affiliate?
Newcomers to the ransomware scene will need to pay a US $5,000 deposit, but if you are an established cybercriminal you may be allowed to skip payment. VanHelsing affiliates can keep 80% of the ransom payments they extort from their victims - leaving 20% to VanHelsing's operators.
80% sounds like a good deal...
Yes, and this is one of the reasons why the VanHelsing ransomware is a concern. The rich rewards may encourage many more attacks by affiliates against unprepared organisations. I hope you're not tempted!
No, of course not. But are there any rules about being an affiliate?
The one main rule is that VanHelsing affiliates are strictly banned from targeting computer systems in the Commonwealth of Independent States (CIS).
So attacking CIS countries with VanHelsing is forbidden?
Correct. CIS member countries are all allied with Russia, and include a number of former Soviet republics:
- Armenia
- Azerbaijan
- Belarus
- Kazakhstan
- Kyrgyzstan
- Moldova
- Russia
- Tajikistan
- Uzbekistan
Why would the VanHelsing affiliates banned from attacking these countries?
Why do you think?
Oh! Because VanHelsing doesn't want to poke the bear...
Bingo! Many ransomware gangs have a policy of not attacking organisations in their home countries (or allies) for fear that law enforcement will take a more active interest in putting an end to their activities.
So does VanHelsing do the normal things expected of ransomware?
Yes, it will encrypt files on victims' computers, and demand that a ransom is paid for the decryption key. Encrypted files can easily be identified because they have the extension .vanhelsing added to their filenames. As an extra incentive for victims to pay the ransom, data is exfiltrated during the attack and organisations are told that it will be published on a leak site if no payment is made.
So, how much do the attackers demand from their victims?
Security reearchers say that they have seen attackers request a ransom of US $500,000 be sent to a Bitcoin wallet.
Are there any other reasons why the cybersecurity community is concerned about VanHelsing?
Well, despite VanHelsing being a relative new entrant on the digital battlefield, a more sophisticated version of the ransomware has already emerged - increasing worry that resources are actively being put into its development.
Which platforms does it target?
VanHelsing is unusual in targeting a variety of platforms - including Windows, Linux BSD, ARM, and VMWare ESXi - seemingly in an attempt to broaden its capacity to extort a ransom from impacted organisations. So far only Windows-baed victims have been reported, however.
So how can my company protect itself from VanHelsing?
The best advice is to follow the recommendations on how to protect your organisation from other ransomware. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers and network devices are properly configured and protected with the latest security patches against vulnerabilities.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
Beating the Business of Ransomware
Learn how to beat cybercriminal’s ransomware business.
