LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile VanHelsing

VanHelsing RaaS: Multi-Platform Ransomware Targeting Windows, Linux, and ESXi

VanHelsing is a Ransomware-as-a-Service operation launched in March 2025 that targets Windows, Linux, BSD, and ESXi environments with a multi-platform encryptor. With a $5,000 affiliate deposit and an 80/20 revenue split, the group has executed confirmed attacks across North America and Europe.

By Ransomware Tracker ·
VanHelsingRaaSmulti-platformESXiLinuxransomware-2025double-extortionaffiliate-program
Threat Level
8/10
Sectors Targeted
manufacturing
healthcare
finance
critical-infrastructure
government
Ransomware Family
VanHelsing

Overview

VanHelsing is a Ransomware-as-a-Service operation that launched on March 7, 2025, advertising its affiliate program on Russian-language cybercrime forums. The group’s encryptor supports Windows (x86 and ARM), Linux, BSD, and VMware ESXi — a multi-platform capability set that enables attacks across both traditional enterprise Windows environments and the virtualisation infrastructure increasingly central to enterprise operations.

The group operates a conventional double-extortion model: files are encrypted, sensitive data is exfiltrated before encryption, and victims face a payment deadline backed by the threat of public data release on a dedicated leak site.

Affiliate Program Structure

VanHelsing recruits affiliates under terms typical of mid-tier RaaS operations:

  • Entry deposit: $5,000, held as a performance bond
  • Revenue split: 80% to the affiliate, 20% to VanHelsing operators
  • Exclusion: Russian-speaking targets are explicitly prohibited — a standard indicator of a Russia-based or Russia-aligned operation seeking to avoid domestic law enforcement attention

The $5,000 deposit screen limits the affiliate pool to more established actors and provides a degree of operational security — casual actors or law enforcement honeypots are less likely to commit the barrier amount. This positions VanHelsing in the middle tier of RaaS operations: more selective than open-recruitment groups, less exclusive than invitation-only programs like LockBit 3.0 at its peak.

Technical Capabilities

Multi-Platform Encryptor

VanHelsing’s primary differentiator is native multi-platform support. Most RaaS groups maintain separate builds for Windows and Linux/ESXi, often with the Linux build being a port of lower quality. VanHelsing’s encryptor was built with platform breadth as a design requirement.

Windows: Supports both x86 and ARM architectures. This is increasingly relevant as ARM-based Windows devices enter enterprise environments. The encryptor uses standard Windows cryptographic APIs and targets network shares in addition to local drives.

Linux and BSD: Targets file servers and backup appliances running Linux or BSD-based operating systems. These systems frequently hold centralised file storage, backup repositories, and NAS volumes.

VMware ESXi: The hypervisor encryptor targets virtual machine disk files (.vmdk, .vmx, .vmem) on ESXi hosts directly, encrypting virtual machines at rest without needing to compromise individual guest operating systems. This attack pattern can encrypt an entire estate of virtualised workloads in a single operation.

Encryption Approach

VanHelsing uses a hybrid encryption model: symmetric per-file keys encrypted with an asymmetric scheme controlled by the operators. The private key is withheld until payment — the standard mechanism for ensuring ransom leverage.

No publicly disclosed decryption flaws have been identified in VanHelsing’s encryptor. Unlike the Vect operation (which had a fatal key destruction bug), VanHelsing’s encryption appears to function as designed.

Confirmed Activity

Since launching in March 2025, VanHelsing has executed confirmed attacks against organisations in North America and Europe. Victim sectors have included manufacturing, healthcare, and government adjacent organisations. Ransom demands observed in confirmed cases have ranged from mid-five figures to low-seven figures, scaled to assessed victim revenue.

The group’s leak site publishes victim data on a rolling basis following payment deadline expiry. The site follows the now-standard format: a countdown timer, partial data samples as proof of exfiltration, and escalating publication of full datasets post-deadline.

Indicators and Tactics

VanHelsing affiliates have used a range of initial access techniques consistent with the broader RaaS ecosystem:

  • Perimeter device exploitation: Unpatched VPN concentrators and firewalls, consistent with access purchased from initial access brokers
  • Credential stuffing and phishing: Standard affiliate entry paths for environments without multi-factor authentication
  • RDP abuse: Exposed remote desktop services remain a consistent entry point across RaaS affiliate campaigns

Post-compromise activity follows the standard playbook: domain enumeration, credential harvesting, lateral movement to identify backup infrastructure and domain controllers, data staging and exfiltration, followed by mass encryption.

File extension: Encrypted files are appended with the .vanhelsing extension.

Ransom note: Dropped as README.VANHELSING.txt in encrypted directories.

Assessment

VanHelsing has established itself as a credible mid-tier RaaS operator within roughly 12 months of launch. The ESXi-capable encryptor and ARM support represent genuine technical investment, not a quick port. The $5,000 affiliate deposit and geographic exclusion of Russian targets suggest Russian-aligned operators with operational security awareness.

The group has not attracted the same law enforcement attention as top-tier operations — no advisory attributions or indictments have been published. This relative quiet, combined with a functional affiliate program and multi-platform capability, positions VanHelsing for continued growth unless disrupted.

Organisations with significant VMware ESXi estates should treat VanHelsing as a relevant threat. ESXi-targeting ransomware can achieve disproportionate impact relative to the time spent — encrypting an ESXi host can simultaneously take down dozens of virtual machines, including production systems, backup appliances, and management infrastructure.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting