Md5
7 total3e063dc0de937df5841cb9c2ff3e46515c254d25751269892b6f02d6c6384aef5b28a0fc21ba079b380effb30e853132d7ad18e63064ef80cc6b98db54516f6f97150d47ea7779101be6582fc329c2cd084deb26cd9d8eff3f972e8e0c4adfe66dc5021a0cbdbe6dea26d78afb43ebb3
VanHelsing is a ransomware-as-a-service (RaaS) operation first promoted on cybercrime platforms on March 7, 2025, including RAMP, and described as a rapidly growing multi-platform ransomware family.
Profile source: Mallory opens in a new tabVanHelsing
VanHelsing is a ransomware-as-a-service (RaaS) operation first promoted on cybercrime platforms on March 7, 2025, including RAMP, and described as a rapidly growing multi-platform ransomware family. It targets Windows systems and is also advertised for Linux, BSD, ARM, and ESXi environments. Reported behavior includes encrypting files with the .vanhelsing extension, dropping a README.txt ransom note in affected folders, changing the desktop wallpaper to vhlocker.png, targeting local and network drives, processing files in roughly 1 MB chunks, deleting shadow copies to inhibit recovery, using process hollowing for defense evasion, and supporting command-line options such as --Silent and --no-logs. It reportedly creates the mutex Global\VanHelsing and has been associated with lateral movement via PsExec. Victim communications and extortion infrastructure reportedly use onion domains, TOX, and Bitcoin, with observed ransom demands reaching about $500,000. The RaaS model reportedly requires a $5,000 affiliate deposit and splits proceeds 80/20 between affiliates and operators. Multiple sources state that the operation forbids targeting Russia and other CIS-linked organizations. In mid-2025, the operation published source code for its affiliate panel, data leak blog, and Windows encryptor builder after a former developer using the alias th30c0der allegedly tried to sell the code on the RAMP forum for $10,000. Reporting states the leaked materials included a legitimate Windows builder, Windows encryptor source, a decryptor, a loader, and evidence of development toward an MBR locker, but did not include the Linux builder or databases. The leaked builder reportedly depended on an affiliate panel, previously observed at 31.222.238[.]208, and the panel code included an api.php endpoint. The operators claimed the released code was old and said they planned to return with an updated version branded VanHelsing 2.0. The source-code leak raised concerns about copycat attacks and broader reuse by other threat actors.
Ransomware.live
Ransomware.live
3e063dc0de937df5841cb9c2ff3e46515c254d25751269892b6f02d6c6384aef5b28a0fc21ba079b380effb30e853132d7ad18e63064ef80cc6b98db54516f6f97150d47ea7779101be6582fc329c2cd084deb26cd9d8eff3f972e8e0c4adfe66dc5021a0cbdbe6dea26d78afb43ebb3FEE914521FB507AB978107ACE3B69B4CA41DA89859408BAE23E1512E8C2E614A26C5FFD482A3193.37.69.225193.37.69.162bc1qw92kdpnedjd037lxej9q9336y05v7gql0u4qcvbc1q0cuvj9eglxk43v9mqmyjzzh6m8qsvsanedwrruMITRE ATT&CK
Reporting
Some hacking collectives like DragonForce, VanHelsing, and LockBit ban strikes on Russian-linked targets.
Some crews, like the DragonForce cartel, VanHelsing ransomware-as-a-service group, and notorious LockBit operators, expressly prohibit their gang members and affiliates from hitting Russian and other CIS targets.
Associated Analytic Story Cactus Ransomware DarkGate Malware DarkSide Ransomware Ransomware Revil Ransomware VanHelsing Ransomware
Associated Analytic Story ... VanHelsing Ransomware ...
VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics
“VanHelsing, Silent, CL0P, Chaos, Brain Cipher, Blacksuit: Each involved in 3 incidents…”
VanHelsing first appeared on March 7, 2025, when user @VanHelsingRAAS, active on the RAMP forums, uploaded a post titled “VanHelsingRAAS” promoting RaaS.
"A new multi-platform RaaS operation, dubbed VanHelsing, was first promoted on cybercrime platforms on March 7"
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.