VanHelsingRaaS, a new ransomware-as-a-service (RaaS) affiliate program, was launched on March 7, 2025, and has quickly gained traction in the cybercrime community. With its rapidly evolving malware infrastructure, the RaaS is already causing significant damage.
The Big Picture
- Affiliates can join VanHelsingRaaS with a deposit of $5,000, while experienced affiliates may join for free.
- Once a ransom is received, affiliates receive 80% of the payment, with the core operators taking the remaining 20%.
- Within two weeks of its debut, VanHelsingRaaS had already infected three victims, including a $500,000 demand.
- This RaaS success is due it’s quick adoption and usage among affiliates and their increased operational tempo.
It is designed to target a wide array of systems, including Windows, Linux, BSD, ARM, and ESXi. This cross-platform support increases its reach, allowing it to infect a wide range of networks and systems.
Notably, VanHelsing ransomware prohibits attacks on systems located within the Commonwealth of Independent States (CIS), an agreement similar of certain regional cybercrime activity involving Russian operators.
Technical Details
VanHelsingRaaS is designed to target a wide array of systems, including Windows, Linux, BSD, ARM, and ESXi. This cross-platform support increases its reach, allowing it to infect a wide range of networks and systems.The key tool used in this operation is the “VanHelsing” ransomware locker.
- The ransomware uses the ChaCha20 encryption algorithm for encrypting files and the system uses a Curve25519 public key to encrypt these ephemeral keys and nonces, making the encryption secure.
- VanHelsing RaaS offers affiliates to customize their attacks on target using command-line arguments. These options let them decide which files to encrypt, whether to exclude local or network drives, and whether to run the malware in “silent” mode to avoid detection.
- VanHelsing RaaS also hinder forensic analysis. For example, it deletes shadow copies—Windows backup files used for system recovery.
- To ensure the system is still usable to some extent, VanHelsingRaaS excludes certain critical directories from the encryption process such as program files, system volume information, Recycle Bin and files with certain extensions, like .exe, .dll, and .sys
Countries Most Affected
While the VanHelsing RaaS service is available globally, the countries most affected are
- United States
- Germany
- United Kingdom
- Brazil
- India
Experts have pointed out that cloud environments or virtualized systems running ESXi or ARM-based platforms, could be vulnerable to VanHelsing RaaS.
The Bottom Line
The rapid growth and adoption of VanHelsing RaaS highlights a shift in the cybercrime landscape. RaaS democratizes access to sophisticated cyberattack, allowing a wide range of actors to participate in high profile cybercrime campaigns.
IOC
Hashes
79106dd259ba5343202c2f669a0a61b10adfadff
E683bfaeb1a695ff9ef1759cf1944fa3bb3b6948
4211cec2f905b9c94674a326581e4a5ae0599df9
Onion Pages
vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion
vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion
vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion
vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion
Vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion
BTC Wallet
bc1q0cuvj9eglxk43v9mqmyjzzh6m8qsvsanedwrru
TOX
FEE914521FB507AB978107ACE3B69B4CA41DA89859408BAE23E1512E8C2E614A26C5FFD482A3
Source: hxxps[://]research[.]checkpoint[.]com/2025/vanhelsing-new-raas-in-town/
Follow us on X and Linkedin for the latest cybersecurity news.
