A new ransomware-as-a-service (RaaS) program, VanHelsingRaaS, has been making waves in the cybercrime community since its launch on March 7 2025.
According to a new technical post by Check Point Research (CPR), within just two weeks, the service had infected three victims, demanding ransoms as high as $500,000.
The program offers free access to reputable affiliates, while new affiliates must pay a $5000 deposit. Affiliates receive 80% of ransom payments, with the remaining 20% going to the RaaS operators.
VanHelsingRaaS supports multiple platforms, targeting Windows, Linux, BSD, ARM and ESXi systems. Affiliates manage their attacks through an intuitive control panel and use the VanHelsing locker – a sophisticated encryption tool.
The ransomware follows a strict rule: it does not encrypt systems in Commonwealth of Independent States (CIS) countries, a common practice among Russian cybercriminal groups.
VanHelsing Ransomware Features
First detected by CPR on March 16 2025, VanHelsing ransomware is written in C++ and includes command-line arguments for precise control over the encryption process. Attackers can choose to encrypt entire drives, specific directories or individual files.
Notably, its encryption process appears to be in an early stage of development, with some unfinished functionalities.
The malware also includes features to evade detection and ensure persistence.
VanHelsing ransomware employs a range of tactics to maximize its impact, including:
- Using Curve25519 and ChaCha20 encryption, making file recovery difficult without payment
- Implementing a “Silent” mode to bypass detection
- Deleting Windows shadow copies to prevent file restoration
- Spreading via SMB networks when enabled
- Excluding critical Windows files and folders from encryption to avoid system instability
Despite its advanced capabilities, a notable flaw exists in the ransomware’s file extension system. The encrypted files receive the .vanhelsing extension, but the malware attempts to associate them with a .vanlocker icon, causing a mismatch. CPR explained this oversight could lead to operational errors or inconsistencies in execution.
Still, VanHelsingRaaS continues to evolve, with researchers discovering multiple compiled versions within days of each other.
“Within just two weeks of its launch, it has already caused significant damage, infecting multiple victims and demanding hefty ransoms,” CPR warned.
“This rapid escalation underscores the program’s effectiveness and the evolving nature of ransomware threats, emphasizing the need for robust cybersecurity measures to combat such sophisticated attacks.”