Executive Summary
VanHelsing is an emerging ransomware threat. VanHelsing targets an expansive array of platforms, including Windows, Linux, BSD, ARM, and ESXi systems, positioning it as a versatile threat across diverse IT environments.
Key Takeaways
- VanHelsing ransomware, active since March 2025, offers a C++ compiled ransomware targeting Windows, Linux, BSD, ARM, and ESXi systems.
- Affiliates access the program with a $5,000 deposit (waived for vetted operators), retaining 80% of ransom payments, with a rule against targeting CIS countries.
- The ransomware supports configurable command-line arguments for tailored encryption, though some features remain underdeveloped.
- PolySwarm analysts consider VanHelsing to be an emerging threat.
What is VanHelsing?
Recently discovered VanHelsing RaaS is an emerging ransomware threat. Within two weeks of commencing operations, this ransomware compromised three organizations, demonstrating its potential to disrupt enterprises globally. Built around a ransomware locker coded in C++, VanHelsing targets an expansive array of platforms, including Windows, Linux, BSD, ARM, and ESXi systems, positioning it as a versatile threat across diverse IT environments. Check Point Research reported on VanHelsing.
VanHelsing’s RaaS model caters to both seasoned cybercriminals and newcomers. Reputable affiliates join for free, while others pay a $5,000 deposit, confirmed via blockchain, to access the program. Affiliates retain 80% of ransom proceeds, with the remaining 20% funneled to operators, incentivizing widespread participation. A notable operational constraint prohibits attacks on Commonwealth of Independent States (CIS) countries, a common geopolitical carve-out among ransomware groups. The service provides an intuitive control panel, accessible on desktop and mobile, streamlining attack management for operators.
The ransomware’s technical underpinnings reveal both ambition and immaturity. The original variant, deployed against the first known victim, accepts command-line arguments such as `-h` (help), enabling attackers to customize encryption targets to include network drives, local drives, or specific directories. However, analysis indicates incomplete functionality; log messages hint at unimplemented features, suggesting ongoing development. Upon execution, VanHelsing encrypts files and drops a ransom note in each affected folder, claiming theft of sensitive data like financial reports and personal records, a hallmark of its double-extortion strategy.
A secondary executable, tied to a loader via its PDB path, was also uncovered. Intended to inject an embedded binary into memory, this component currently lacks valid data, rendering it inert but hinting at planned future enhancements. The rapid iteration between variants, compiled just five days apart, underscores VanHelsing’s active evolution. PolySwarm analysts consider VanHelsing to be an emerging threat.
IOCs
PolySwarm has multiple samples of VanHelsing.
86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17
99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98
You can use the following CLI command to search for all VanHelsing samples in our portal:
$ polyswarm link list -f VanHelsing
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.