Launched on March 7, 2025, VanHelsing is a new ransomware-as-a-service (RaaS) operation that has already targeted three organizations, demanding ransoms of $500,000 each.

Currently, the ransomware's extortion portal lists victims from the U.S., including a city in Texas, and one from France, all facing significant ransom demands.

Despite its multi-platform capabilities, including targeting Windows, Linux, BSD, ARM, and ESXi systems, all confirmed victims so far have been Windows users.

VanHelsing employs a double extortion tactic, stealing data before encrypting files and threatening to leak information unless ransoms are paid.

Check Point has noted some flaws in VanHelsing's code, such as mismatched file extensions, suggesting that it is still evolving.

To join the affiliate program, newcomers must pay a $5,000 deposit, while experienced cybercriminals can join for free, incentivizing participation.

Attribution suggests that the ransomware operation is likely Russian, as it prohibits targeting organizations within Russia or the Commonwealth of Independent States.

Affiliates of VanHelsing can retain 80% of ransom payments, with operators taking a 20% cut, and payments are processed through an automated escrow system.

The operation has been documented by CYFIRMA and analyzed by Check Point Research, which published its findings on March 23, 2025.

Researchers have identified multiple infections of the VanHelsing ransomware, indicating its active and rapid development since its launch.

The emergence of VanHelsing highlights the ongoing evolution and sophistication of ransomware threats, necessitating enhanced cybersecurity measures.

The operation's design allows for attacks on various operating systems while adhering to a rule against targeting the Commonwealth of Independent States.