VanHelsing Ransomware Comes To Encrypt Data

Security firm Cyfirma has recently discovered a new ransomware-as-a-service (RaaS) called VanHelsing. Once a name given to mythical slayers of Vampires, VanHelsing is now attached to a criminal enterprise designed to siphon a business' lifeblood in return for decrypting data, which the threat actors themselves encrypted.

VanHelsing Ransomware Comes To Encrypt Data

Cyfrima discovered the new ransomware operation on March 16, 2025, but VanHelsing was advertised on underground hacker forums from March 7, 2025. Regarding operating methodology, VanHelsing does not look to reinvent the wheel. It encrypts files and demands payment for decryption, as is to be expected.

It also employs double extortion tactics, threatening to leak stolen data to pressure victims into paying. Once executed, VanHelsing appends the ".vanhelsing" extension to encrypted files, modifies the desktop wallpaper with the RaaS's logo, and drops a ransom note named "README.txt" on the victim's system.

As for the ransom note, researchers stated,

VanHelsing’s ransom note informs victims that their network has been compromised, with files encrypted and sensitive data—such as personal details, financial reports, and important documents – exfiltrated. To restore access, victims are instructed to pay an unspecified ransom in Bitcoin. The note also warns that refusal to pay will result in the leaked publication of stolen data. Additionally, it cautions against self-recovery attempts, as these may render the encrypted files permanently inaccessible.

By VanHelsing's discovery, the RaaS's data leak and announcement site said that the ransomware gang had already accrued three scalps, two based in the US and one in France. Two of the victims belong to the technology sphere, while the other victim is a city in Texas. This led researchers to believe the ransomware gang was currently targeting Windows machines in the Government, Manufacturing, and Pharmaceutical sectors.

Check Point Research later discovered two separate variants of the malware, which enabled them to investigate the VanHelsing ransomware gang more thoroughly. Check Point researchers uncovered that while the discovered variants targeted Windows, the RaaS was advertised to allow "targeting [of] Linux, BSD, ARM, and ESXi systems." The RaaS provides an intuitive control panel that simplifies operating ransomware attacks.

Further, the RaaS model allows a wide range of participants, from experienced hackers to newcomers, who can get involved with a 5,000 USD deposit if not considered experienced enough by the administrators. Affiliates keep 80% of the ransom payments, while the core operators earn 20%.

The gang has only one rule: not to target the Commonwealth of Independent States (CIS). The CIS is the name given to the group of states that used to make up the Soviet Union to a large extent, bar those that joined the EU and states within the Kremlin's sphere of influence. This is common amongst Russian and Russian-speaking cyber-criminal organizations as the somewhat unwritten rule is if they don't target Russians or hinder the Kremlin's operations, they are ignored by local law enforcement.

Lastly, in summarizing VanHelsing's tactics, researchers stated regarding the ransom demanded,

In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims, demanding large ransom payments for decryption and the deletion of stolen data. During negotiations, they demanded $500,000 to be paid to a specified Bitcoin wallet.

VanHelsing Ransomware

With researchers able to get their hands on two separate variants, much of the ransomware's encryption process and operations were discovered. In summary, the malware is written in C++, and the ransomware accepts multiple command-line arguments that control the encryption process. These command-line arguments include instructions on whether to encrypt network and local drives or specific directories and files.

The ransomware seems to be in its early stages of development, as some functionality appears incomplete. While log messages for these features are present, the actual actions associated with them do not seem to be implemented at this stage.

The ransomware includes the ability to delete shadow copies. Shadow copies are backup copies of files or volumes created by Windows' Volume Shadow Copy Service (VSS), often used for restoring files or recovering from system failures. This deletion mechanism makes it far harder for victims to potentially recover data encrypted by VanHelsing affiliates.

As for file encryption, VanHelsing uses the ChaCha20 algorithm for file encryption, generating a 32-byte symmetric key and a 12-byte nonce for each file. In encryption algorithms, a 12-byte nonce is used as an initialization vector that generates a unique 96-bit value used to ensure that the same plaintext encrypted with the same key produces different ciphertexts each time; this adds another layer of encryption, making decryption using computer hardware even more of an impossibility.

These values are then encrypted using an embedded Curve25519 public key, and the resulting encrypted key/nonce pair is stored in the encrypted file. VanHelsing partially encrypts files larger than 1GB but runs the entire process on smaller files.

The malware has at least two encryption modes, normal and stealth. In normal encryption mode, VanHelsing enumerates files and folders, encrypts the file contents, and renames the resulting file, appending the ".vanhelsing" extension. In stealth mode, the ransomware decouples encryption from file renaming, which is less likely to trigger alarms because file I/O patterns mimic normal system behavior.

Check Point researchers concluded,

VanHelsingRaaS, a rapidly expanding ransomware-as-a-service program launched in March 2025, has quickly made its mark on the cybercrime landscape. Offering an accessible entry point for affiliates with a low deposit has attracted a diverse range of participants. The program’s growth is evident in the evolution of its ransomware variants, which have expanded beyond Windows with additional offerings targeting “Linux, BSD, ARM, and ESXi systems”. With a user-friendly control panel and frequent updates, VanHelsing is becoming a powerful tool for cybercriminals. Within just two weeks of its launch, it has already caused significant damage, infecting multiple victims and demanding hefty ransoms. This rapid escalation underscores the program’s effectiveness and the evolving nature of ransomware threats, emphasizing the need for robust cybersecurity measures to combat such sophisticated attacks.

Share:

facebook
X (Twitter)
linkedin
copy link
Karolis Liucveikis

Karolis Liucveikis

Experienced software engineer, passionate about behavioral analysis of malicious apps

Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.

▼ Show Discussion

PCrisk security portal is brought by a company RCS LT.

Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Donate