Security Intelligence
Loading table of contents...
Loading table of contents...
A new ransomware-as-a-service (RaaS) platform named VanHelsing has emerged, claiming its first three victims since its inception on March 7, 2025.
This platform operates on a model requiring affiliates to make a $5,000 deposit, granting them 80% of any ransom payments, while the core operators retain 20%. Notably, VanHelsing prohibits attacks on countries within the Commonwealth of Independent States (CIS).
VanHelsing's ransomware is versatile, targeting multiple operating systems, including Windows, Linux, BSD, Arm, and ESXi and employs a double extortion tactic, wherein data is exfiltrated before encryption, with threats to leak the information if the ransom isn't paid.
The platform offers a user-friendly control panel compatible with both desktop and mobile devices, featuring a dark mode for ease of use, allowing even the greenest of new ransomware affiliates to easily view and manage their ransomware campaigns.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The ransomware itself, written in C++, executes several malicious actions: it deletes shadow copies, scans local and network drives, and appends the ".vanhelsing" extension to encrypted files.
Subsequently, it alters the desktop wallpaper and generates a ransom note demanding Bitcoin payment. The malware supports various command-line arguments to customize its behavior, such as selecting encryption modes, specifying target locations, propagating to Server Message Block (SMB) servers, and operating in a "Silent" mode that avoids renaming files.
So far, the VanHelsing ransomware has targeted government, manufacturing, and pharmaceutical sectors in France and the United States.
Source: The Hacker News
Analysis
VanHelsing is not the only new RaaS operation making headlines this month. SuperBlack, another emerging ransomware group, has also surfaced, signaling the emergence of at least two new, aggressive ransomware actors in March 2025 alone.
VanHelsing’s business model reflects a growing trend among cybercriminal enterprises: lower barriers to entry and more lucrative payouts for affiliates. Several recent RaaS groups have shifted towards incentivizing affiliates with lower fees and higher revenue splits, making it easier and more financially beneficial for more cybercriminals to join their ranks. For example, groups like BlackCat/ALPHV, LockBit 3.0, and Ragnar Locker, have all increased affiliate payouts to 80-90% in recent years.
One of the most telling signs of VanHelsing’s origins is its explicit rule prohibiting attacks against the Commonwealth of Independent States (CIS). This is a hallmark of ransomware groups, such as LockBit, Conti, and REvil and BlackCat/ALPHV, as many cybercriminal organizations in the region maintain an informal agreement with Russian authorities to not attack domestic targets and provide a portion of their profits in exchange for authorities to look the other way.
The Russian government’s lax enforcement against these groups has long been a point of geopolitical tension, especially following the Colonial Pipeline ransomware attack by DarkSide in 2021 and the subsequent REvil supply chain attacks. Even when the FSB arrested members of REvil in early 2022, many experts speculated that it was more about political maneuvering than a genuine crackdown.
VanHelsing's emergence is yet another reminder that ransomware continues to thrive, evolving in ways that further decentralize the risk for operators while increasing the financial incentives for affiliates. By lowering the cost of entry, expanding cross-platform targeting, and keeping more of their operations in the shadows, groups like VanHelsing are making ransomware even more accessible to criminals worldwide.
As long as countries like Russia continue to provide safe havens for these groups, the ransomware-as-a-service model will remain a formidable threat to organizations everywhere.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from RaaS platforms like VanHelsing. Field Effect MDR users are automatically notified if ransomware activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
While defending against ransomware attacks may seem intimidating at first, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance helps protect against, or eliminate, known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Secure IoT Devices
It is imperative for organizations to ensure that IoT devices are secured and monitored alongside traditional endpoints. Implementing network segmentation, regular vulnerability assessments, and extending EDR capabilities to encompass a wider array of devices are essential steps in mitigating such sophisticated attack vectors.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
