The VanHelsing ransomware group, a new cyber threat, emerged in early March 2025 and has quickly gained attention in the cybersecurity landscape. Operated as a ransomware-as-a-service (RaaS) platform, VanHelsing allows affiliates to participate in malicious cyber activities for a share of the ransom proceeds. In its brief yet impactful time on the cybercriminal stage, VanHelsing has targeted high-value industries and critical sectors, leveraging advanced tactics and multi-platform compatibility to infiltrate and extort organizations worldwide.
The VanHelsing platform, which operates under the alias VanHelsingRaaS, stands out in the world of cybercrime due to its affiliate-driven business model. Affiliates are required to pay a deposit of $5,000 to join the platform, and in return, they receive 80% of the ransom payments, while the core operators of the RaaS group retain the remaining 20%. This incentive structure has allowed VanHelsing to quickly expand its reach, recruiting individuals with varying levels of technical expertise to launch ransomware attacks across a wide array of sectors.
Notably, the platform explicitly prohibits attacks against entities within the Commonwealth of Independent States (CIS), a stipulation likely aimed at reducing intra-group conflicts and focusing their efforts on more lucrative and less protected targets globally. This code of conduct allows them to operate with a degree of coordination and structure uncommon in other ransomware groups.
Targeted Sectors and Geographic Focus
The VanHelsing ransomware group has targeted a diverse range of industries, with a particular focus on sectors that deal with sensitive data. Among the primary targets are government entities, law enforcement agencies (LEAs), healthcare organizations, IT and ITES providers, manufacturers, and pharmaceutical companies. These industries often hold valuable intellectual property, financial information, and personal data, making them prime targets for cybercriminals seeking both financial gain and strategic advantages.
Geographically, VanHelsing’s attacks have been primarily concentrated in countries such as the United States, France, Australia, Italy, and Chile. These regions are home to many large corporations and government institutions, further emphasizing the group’s focus on high-value targets. In particular, the group has shown interest in industries such as healthcare, where data breaches can have legal and reputational consequences.
Technical Tactics and Techniques
The VanHelsing ransomware uses various sophisticated techniques to execute its attacks and maintain persistence within compromised systems. Among the tactics employed are Windows Management Instrumentation (WMI) queries, task scheduling, and PowerShell scripts. These techniques allow the group to delete volume shadow copies, schedule recurring executions of malicious code, and perform additional actions without alerting system administrators.
For persistence, VanHelsing utilizes methods such as bootkits and Windows services, ensuring that the ransomware remains active even after the system restarts. The group also uses DLL side-loading, a technique that involves executing malicious payloads by exploiting the way certain programs load shared libraries.
Multi-Platform Attack Mechanism
One of the most interesting aspects of the VanHelsing ransomware is its multi-platform compatibility. The ransomware is designed to infect not just Windows systems but also Linux, BSD, ARM, and even ESXi-based environments. This flexibility allows the group to target a wide variety of organizations, from small businesses to large enterprises operating on diverse IT infrastructures.
The ransomware employs a double-extortion strategy. First, it infiltrates the target network, exfiltrating sensitive data before encrypting critical files. Once the data is encrypted, the attackers threaten to publicly release the stolen information unless the ransom is paid, further increasing the pressure on victims.
The encrypted files are appended with the “.vanhelsing” extension, and a ransom note titled “README.txt” is dropped into each affected directory. This dual threat of data loss and public exposure makes it highly effective at extorting large sums of money from victims.
User-Friendly Tools for Affiliates
To streamline operations, VanHelsing provides affiliates with a user-friendly control panel. This platform, accessible from both desktop and mobile devices, simplifies the execution and management of ransomware attacks. The control panel features a dark mode for better usability, appealing to a broad audience, including those with limited technical experience.
The VanHelsing ransomware is written in C++ and equipped with customizable command-line parameters that allow attackers to target specific drives, directories, or files for encryption. Additionally, the malware includes stealth capabilities designed to evade detection by traditional security systems, making it particularly challenging for cybersecurity professionals to identify and neutralize the threat.
High Ransom Demands and Operational Costs
Ransom demands associated with VanHelsing ransomware attacks have been reported as high as $500,000, typically requested in Bitcoin. The high cost of these ransoms reflects the critical nature of the data being targeted, as well as the group’s confidence in its ability to inflict damage to victims’ operations. This level of sophistication and audacity indicates that VanHelsing is no mere opportunistic ransomware actor but rather a well-organized cybercriminal group capable of orchestrating high-stakes attacks.
Conclusion
The VanHelsing ransomware group’s tactics and use of ransomware-as-a-service pose security risks to critical industries worldwide. As cyber threats continue to grow, organizations must adopt proactive defense strategies to protect against these cyberattacks. Platforms like Cyble provide AI-powered threat intelligence, enabling faster detection and response to new threats like VanHelsing and helping organizations stay protected from cybercriminals. Book a personalized demo today to see how Cyble can help your organization stay protected!
Mitigation and Defense Strategies
- Backup and Recovery: Regularly back up critical data and store backups offline to prevent ransomware from encrypting them.
- Network Segmentation: Isolate sensitive systems to limit ransomware movement within the network.
- Endpoint Detection: Use EDR tools to detect suspicious activities like PowerShell commands or scheduled tasks.
- Application Whitelisting: Only allow trusted programs to run on systems to block malicious executables.
- Multi-Factor Authentication: Enforce MFA for all systems, particularly for privileged accounts and remote access.
- Patch Management: Regularly update systems and software to fix vulnerabilities exploited by ransomware.
- Threat Intelligence: Use threat intelligence platforms to monitor for signs of breaches or ransomware activity.
MITRE Attack Techniques Associated with VanHelsing Ransomware Group
- Windows Management Instrumentation (T1047): VanHelsing executes a WMI query (ROOT\CIMV2 namespace, Win32_ShadowCopy class) to enumerate and delete Volume Shadow Copies on compromised systems.
- Scheduled Task/Job (T1053): Abuses task scheduling to execute malicious code for persistence, potentially masking it under trusted processes, and can be scheduled on remote systems with authentication.
- PowerShell (T1059.001): Utilizes PowerShell scripts to execute malicious commands on compromised systems.
- Native API (T1106): Uses Windows APIs, including COM (CoInitializeEx, CoInitializeSecurity, CoCreateInstance), for interaction with system services.
- Shared Modules (T1129): Executes malicious payloads by loading shared modules, modularizing malware functions like C2 communication through reusable code or OS API functions.
- Malicious File (T1204.002): Drops malicious executables onto the victim’s system, often leveraging embedded images and binaries.
- Scheduled Task/Job (T1053): Adversaries use task scheduling for persistence, running programs at startup or on a schedule, and can also target remote systems with proper authentication.
- Bootkit (T1542.003): Uses bootkits to persist on systems at a layer below the operating system, making full remediation difficult unless suspected and addressed.
