A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025.
“The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%,” Check Point said in a report published over the weekend./p>
“The only rule is not to target the Commonwealth of Independent States (CIS).”
As with any affiliate-backed ransomware program, VanHelsing claims to offer the ability to target a wide range of operating systems, including Windows, Linux, BSD, Arm, and ESXi. It also employs what’s called the double extortion model of stealing data prior to encryption and threatening to leak the information unless the victim pays up.
The RaaS operators have also revealed that the scheme offers a control panel that works “seamlessly” on both desktop and mobile devices, with even support for dark mode.
What makes VanHelsing notable is that it allows reputable affiliates to join for free, while new affiliates are required to pay a $5,000 deposit in order to gain access to the program.
Once launched, the C++-based ransomware takes steps to delete shadow copies, enumerate local and network drives, and encrypt files with the extension “.vanhelsing,” after which the desktop wallpaper is modified, and a ransom note is dropped onto the victim system, urging them to make a Bitcoin payment.
It also supports various command-line arguments to dictate various aspects of the ransomware’s behavior, such as the encryption mode to be used, the locations that need to be encrypted, spread the locker to SMB servers, and skip renaming the files with the ransomware extension in “Silent” mode.
According to CYFIRMA, government, manufacturing, and pharmaceutical companies located in France and the United States have become the targets of the nascent ransomware operation.
“With a user-friendly control panel and frequent updates, VanHelsing is becoming a powerful tool for cybercriminals,” Check Point said. Within just two weeks of its launch, it has already caused significant damage, infecting multiple victims and demanding hefty ransoms.
The emergence of VanHelsing coincides with a number of developments in the ever-evolving ransomware landscape –
- The discovery of new versions of Albabat ransomware that go beyond Windows to Linux and macOS, gathering system and hardware information
- BlackLock ransomware, a rebranded version of Eldorado, has become one of the most active RaaS groups in 2025, targeting technology, manufacturing, construction, finance, and retail sectors
- BlackLock is actively recruiting traffers to drive early stages of ransomware attacks, directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems
- The JavaScript-based malware framework known as SocGholish (aka FakeUpdates) is being used to deliver RansomHub ransomware, an activity attributed to a threat cluster dubbed Water Scylla
- The exploitation of security flaws in Fortinet firewall appliances (CVE-2024-55591 and CVE-2025-24472) by a threat actor dubbed Mora_001 since late January 2025 to deliver a newly discovered ransomware strain codenamed SuperBlack, a modified version of LockBit 3.0 that utilizes a custom data exfiltration tool
- The Babuk2 (aka Babuk-Bjorka) ransomware group has been observed reusing data from earlier breaches associated with RansomHub, FunkSec, LockBit, and Babuk to issue fake extortion demands to victims
According to statistics compiled by Bitdefender, February 2025 was the worst month for ransomware in history, hitting a record 962 victims, up from 425 victims in February 2024. Of the 962 victims, 335 have been claimed by the Cl0p RaaS group.
Another notable trend is the increase in remote encryption attacks, wherein ransomware attackers compromise an unmanaged endpoint, and leverage that access to encrypt data on managed, domain-joined machines.
Telemetry data shared by Sophos reveals that there has been a surge in remote encryption by 50% year-on-year in 2024, and a 141% rise since 2022.
“Remote encryption has now become a standard part of ransomware groups’ bag of tricks,” said Chester Wisniewski, director and global field CISO at Sophos. “Every organization has blind spots and ransomware criminals are quick to exploit weaknesses once discovered.”
“Increasingly the criminals are seeking out these dark corners and using them as camouflage. Businesses need to be hypervigilant in ensuring visibility across their entire estate and actively monitor any suspicious file activity.”
