Skip to content
Ransomware group

VanHelsing

VanHelsing is a ransomware-as-a-service (RaaS) operation first promoted on cybercrime platforms on March 7, 2025, including RAMP, and described as a rapidly growing multi-platform ransomware family.

Profile source: Mallory opens in a new tab

VanHelsing

Family profile

VanHelsing is a ransomware-as-a-service (RaaS) operation first promoted on cybercrime platforms on March 7, 2025, including RAMP, and described as a rapidly growing multi-platform ransomware family. It targets Windows systems and is also advertised for Linux, BSD, ARM, and ESXi environments. Reported behavior includes encrypting files with the .vanhelsing extension, dropping a README.txt ransom note in affected folders, changing the desktop wallpaper to vhlocker.png, targeting local and network drives, processing files in roughly 1 MB chunks, deleting shadow copies to inhibit recovery, using process hollowing for defense evasion, and supporting command-line options such as --Silent and --no-logs. It reportedly creates the mutex Global\VanHelsing and has been associated with lateral movement via PsExec. Victim communications and extortion infrastructure reportedly use onion domains, TOX, and Bitcoin, with observed ransom demands reaching about $500,000. The RaaS model reportedly requires a $5,000 affiliate deposit and splits proceeds 80/20 between affiliates and operators. Multiple sources state that the operation forbids targeting Russia and other CIS-linked organizations. In mid-2025, the operation published source code for its affiliate panel, data leak blog, and Windows encryptor builder after a former developer using the alias th30c0der allegedly tried to sell the code on the RAMP forum for $10,000. Reporting states the leaked materials included a legitimate Windows builder, Windows encryptor source, a decryptor, a loader, and evidence of development toward an MBR locker, but did not include the Linux builder or databases. The leaked builder reportedly depended on an affiliate panel, previously observed at 31.222.238[.]208, and the panel code included an api.php endpoint. The operators claimed the released code was old and said they planned to return with an updated version branded VanHelsing 2.0. The source-code leak raised concerns about copycat attacks and broader reuse by other threat actors.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

7 total
  • 3e063dc0de937df5841cb9c2ff3e4651
  • 5c254d25751269892b6f02d6c6384aef
  • 5b28a0fc21ba079b380effb30e853132
  • d7ad18e63064ef80cc6b98db54516f6f
  • 97150d47ea7779101be6582fc329c2cd
  • 084deb26cd9d8eff3f972e8e0c4adfe6
  • 6dc5021a0cbdbe6dea26d78afb43ebb3

Tox

1 total
  • FEE914521FB507AB978107ACE3B69B4CA41DA89859408BAE23E1512E8C2E614A26C5FFD482A3

Ip

2 total
  • 193.37.69.225
  • 193.37.69.162

Btc

2 total
  • bc1qw92kdpnedjd037lxej9q9336y05v7gql0u4qcv
  • bc1q0cuvj9eglxk43v9mqmyjzzh6m8qsvsanedwrru

MITRE ATT&CK

VanHelsing in ATT&CK

7 distinct techniques

Reporting

Research mentioning VanHelsing

Jun 16
Cysecurity News

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors - CySecurity News - Latest Information Security and Hacking Incidents

Some hacking collectives like DragonForce, VanHelsing, and LockBit ban strikes on Russian-linked targets.

Jun 2
Register Security

'Dumbass' criminal breaks the 'first rule of ransomware club'

Some crews, like the DragonForce cartel, VanHelsing ransomware-as-a-service group, and notorious LockBit operators, expressly prohibit their gang members and affiliates from hitting Russian and other CIS targets.

Feb 25
Splunk Research

Detection: Delete ShadowCopy With PowerShell | Splunk Security Content

Associated Analytic Story Cactus Ransomware DarkGate Malware DarkSide Ransomware Ransomware Revil Ransomware VanHelsing Ransomware

Feb 25
Splunk Research

Detection: Resize ShadowStorage volume | Splunk Security Content

Associated Analytic Story ... VanHelsing Ransomware ...

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“VanHelsing, Silent, CL0P, Chaos, Brain Cipher, Blacksuit: Each involved in 3 incidents…”

Aug 13
Medium S2wblog

Ransomware Landscape in H1 2025: Statistics and Key Issues | by S2W | S2W BLOG | Medium

VanHelsing first appeared on March 7, 2025, when user @VanHelsingRAAS, active on the RAMP forums, uploaded a post titled “VanHelsingRAAS” promoting RaaS.

Jul 3
Optiv

First Quarter 2025 Ransomware Trends

"A new multi-platform RaaS operation, dubbed VanHelsing, was first promoted on cybercrime platforms on March 7"

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.