A new cybercrime toolkit named VanHelsing is quickly making headlines in the digital underground. First spotted in early March 2025, this ransomware service already counts three victims and appears to be gathering momentum fast.
VanHelsing is part of a growing trend where cybercriminals no longer need to build malware from scratch. Instead, they can buy access to full-featured ransomware platforms, complete with payment systems, attack controls, and a business model designed to split profits.
A Ransomware Platform for Cybercriminal Entrepreneurs
How the Affiliate Structure Works
The VanHelsing platform operates like a franchise system for cybercrime. Affiliates, once accepted, can launch attacks using the platform’s ready-made ransomware tools. New users are required to pay an entry fee of $5,000, while experienced or trusted members of the hacker community can join without paying anything.
Each successful ransom payment is split, with 80 percent going to the affiliate and the remaining 20 percent to the developers behind VanHelsing.
This payout structure encourages wide participation, making the platform attractive to a variety of threat actors.
A Key Rule: Avoid Attacking Certain Regions
Operators of VanHelsing enforce a strict policy: do not target countries within the Commonwealth of Independent States (CIS). This is a common condition in ransomware circles, likely meant to protect the developers from local legal actions.
Designed for Scale: Multi-System Targeting and Control Features
Operates Across Different Operating Systems
One of the standout features of VanHelsing is its ability to run on many types of systems. This includes:
- Windows desktops and servers
- Linux environments
- BSD operating systems
- ARM-based devices
- ESXi virtualization platforms
This broad compatibility means attackers using VanHelsing can go after businesses and infrastructure using both traditional and cloud-based networks.
Adjustable Behavior Through Command-Line Tools
The ransomware provides built-in settings that allow the attacker to:
- Choose which folders or systems to encrypt
- Decide whether to change file extensions
- Spread across networks using SMB
- Skip showing visual signs of the attack by using “Silent” mode
After infection, the ransomware adds the extension “.vanhelsing” to affected files, replaces the desktop wallpaper, and places a Bitcoin ransom note demanding payment.
Combining Encryption with Extortion: The Double Threat Model
How Victims Are Pressured to Pay
VanHelsing doesn’t just lock data. Before encryption begins, it quietly steals important files from the victim’s network. These stolen files are then used to pressure the target: pay the ransom or risk having sensitive information released publicly.
This double extortion approach is designed to leave victims feeling cornered, especially when the data at risk includes personal records, internal financial documents, or customer information.
A Control Panel Built for Ease of Use
Cybercriminals using the VanHelsing service get access to a clean, web-based dashboard. This panel works smoothly on both desktop and mobile devices and even supports dark mode for a better viewing experience.
From the dashboard, affiliates can:
- Track active attacks
- Review stolen data
- Manage payments
- Configure new campaigns
By making the tools simple to use, VanHelsing reduces the technical skills required to launch effective ransomware attacks.
Early Victims and Global Spread
First Targets Reported in the West
According to researchers at CYFIRMA, VanHelsing has already been used against companies in France and the United States. These include organizations from the:
- Government sector
- Manufacturing industry
- Pharmaceutical field
With such high-value targets hit within the first few weeks, the threat posed by VanHelsing is clearly not limited to small or unprotected systems.
Other Threats Growing Alongside VanHelsing
Albabat Broadens Its Reach
The Albabat ransomware has evolved beyond Windows and is now affecting Linux and macOS machines. It collects system data before encrypting files, making it more invasive and dangerous.
BlackLock Rebrands and Expands
A rebranded variant of Eldorado, known as BlackLock, has become one of the top ransomware services in 2025. It targets industries like construction, technology, retail, and finance, and relies on hired helpers to deliver malware through phishing websites and fake updates.
SocGholish Delivers RansomHub
The SocGholish malware, sometimes called FakeUpdates, is now being used to deploy RansomHub, another growing threat. This activity is linked to a hacker group labeled Water Scylla.
Fortinet Flaws Exploited by SuperBlack
Attackers are exploiting known vulnerabilities in Fortinet firewalls, tracked as CVE 2024 55591 and CVE 2025 24472, to deliver a new ransomware named SuperBlack. This variant includes a built-in data theft tool and is believed to be an upgraded form of LockBit 3.0.
Babuk2 Recycles Data for Fake Threats
The group behind Babuk2, also known as Babuk-Bjorka, is reusing leaked data from previous attacks linked to RansomHub, LockBit, and other threats. They are sending out fake demands to new targets using this old information.
Record-Breaking Month for Ransomware
February 2025 Sees Highest Number of Victims
New data from Bitdefender shows that 962 companies were affected by ransomware in February 2025, making it the worst month on record. That’s more than double the number from February 2024, which recorded 425 victims.
Of the 962 cases, 335 were tied to Cl0p, a well-known ransomware group.
This surge highlights how ransomware continues to be one of the most damaging types of cybercrime worldwide.
Remote Encryption Gaining Popularity
Attackers Are Targeting Weak Spots
One growing method involves attackers gaining access to a poorly protected device and then using it to encrypt files across the rest of the connected systems. This is known as remote encryption.
Sophos Reports Sharp Increase
Cybersecurity firm Sophos found that remote encryption attacks have gone up by 50 percent in the past year, and by 141 percent since 2022.
This approach allows attackers to bypass traditional defenses by entering through unnoticed points and then attacking higher-value systems from within.
“Cybercriminals are getting better at hiding their movements,” said Chester Wisniewski, a senior leader at Sophos. “They look for hidden areas in a network and use them as cover. Every business needs to keep a close eye on every part of their system to spot strange activity before it’s too late.”
Final Word: VanHelsing Could Be the Start of a Larger Wave
The early impact of VanHelsing suggests that it is not just another ransomware threat. Its business-style platform, ability to hit multiple system types, and clean interface are making it popular among both experienced hackers and newcomers.
With several victims already confirmed and others likely unreported, VanHelsing is expected to be involved in more attacks in the coming months.
Businesses must stay alert, review their cybersecurity practices, and monitor both endpoints and internal systems closely. The threat is real, and it is evolving fast.
FAQs
What is VanHelsing ransomware as a service?
It is a cybercrime service that lets users pay a fee or join for free to use a shared ransomware platform for launching attacks.
How much does it cost to join VanHelsing?
New users must pay $5,000, while experienced affiliates may be granted free access.
Who are the known victims?
Organizations in France and the United States, including those in government, manufacturing, and pharmaceutical industries.
What operating systems does VanHelsing target?
It works across Windows, Linux, BSD, ARM systems, and ESXi servers.
How does the double extortion tactic work?
Before locking the files, the attackers steal them. Victims are then threatened with public leaks if they don’t pay the ransom.
What is remote encryption in ransomware?
It is when attackers use one device to encrypt data across connected systems without triggering alarms on protected machines.
