Over the last few weeks, an emerging and rapidly growing ransomware-as-a-service (RaaS) operation dubbed VanHelsingRaaS has been attracting attention in the cybercrime world.
Check Point Research has discovered two variants of this scourge, targeting Windows, but in its advert, VanHelsingRaas says it offers tools “targeting Linux, BSD, ARM, and ESXi systems”. Mirroring legitimate tools, the program offers an intuitive control panel that makes operating ransomware attacks child’s play.
The two variants Check Point Research obtained were compiled only five days apart, with the latest version featuring significant updates—a sign of how quickly this ransomware is evolving.
Debuted on 7 March, this RaaS has already infected three victims, demanding huge ransom payments for decryption and the deletion of stolen data—$500,000 to be paid to a specified Bitcoin wallet.
Reputable affiliates are able to join for free, and new affiliates must cough up $5,000 deposit to gain access to it. Once there have been two blockchain confirmations of the victim’s ransom payment, the affiliates get 80% of the take, while the remaining 20% goes to the RaaS operators.
According to Check Point’s researchers, the multi-platform support dramatically extends the reach of the program, allowing it to target a slew of different systems. “However, there is one crucial rule: encryption of systems in CIS (Commonwealth of Independent States) countries is strictly prohibited in typical behavior observed in Russian cybercrime.”
Check Point Research discovered two versions of the VanHelsing ransomware. One variant, compiled on 11 March, differs from the updated 16 March version. An additional file was found, but its embedded binary was ineffective due to an invalid buffer.
The ransomware associated with the VanHelsing RaaS was first discovered on 16 March and is written in C++. Based on its compilation timestamp, it was more than likely deployed the same day against its first victim. The program supports multiple command-line arguments to customize its encryption process, including targeting specific drives, directories, and files. However, some features seem to be incomplete, with log messages present but with no corresponding functionality.
It also drops a ransom note (README.txt) in each affected folder, warning its victims that their data has been encrypted and demanding Bitcoin if they want their data back. The note also threatens permanent data loss if third-party decryptors are used and insists that the encryption is unbreakable.
Also, two embedded images are placed in the C:\Windows\Web folder: vhlocker.png, which replaces the desktop background with the RaaS logo, and vhlocker.ico, meant to associate with encrypted files. However, there’s a flaw in the malware, which causes encrypted files to have a .vanhelsing extension instead of the usual .vanlocker, making the icon association ineffective.
The ransomware’s executable still contains its PDB file path, revealing development details that could help identify other projects by the same author.
“VanHelsingRaaS, a rapidly expanding ransomware-as-a-service program launched in March 2025, has quickly made its mark on the cybercrime landscape,” says Check Point Research. “Within just two weeks of its launch, it has already caused significant damage, infecting multiple victims and demanding hefty ransoms. This rapid escalation underscores the program’s effectiveness and the evolving nature of ransomware threats, emphasizing the need for robust cybersecurity measures to combat such sophisticated attacks.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.