VanHelsing
VanHelsing is a ransomware-as-a-service (RaaS) operation launched in March 2025. It is described as a rapidly growing, multi-platform ransomware family promoted on cybercrime forums, with support for targeting Windows as well as Linux, BSD, ARM, and ESXi systems. The operation reportedly requires a $5,000 affiliate deposit and uses an 80/20 revenue split in favor of affiliates. It also explicitly forbids attacks against Russian and other CIS targets.
On Windows, VanHelsing encrypts files and appends the .vanhelsing extension, drops a README.txt ransom note in affected folders, and changes the desktop wallpaper to vhlocker.png. Reported behavior includes targeting local and network drives, processing files in roughly 1 MB chunks, deleting shadow copies to inhibit recovery, using process hollowing for defense evasion, and creating the mutex Global\VanHelsing. The malware supports command-line options including --Silent and --no-logs to reduce visibility and artifacts. Reporting also associates it with lateral movement activity using PsExec. Victim communications and payment infrastructure reportedly use onion domains, TOX, and Bitcoin, with observed ransom demands reaching about $500,000.
The operation became notable after source code for its affiliate panel, data leak blog, and Windows encryptor builder was published on the RAMP cybercrime forum following an attempted sale by a former developer using the alias th30c0der. Reporting states the leaked materials included a legitimate Windows encryptor builder, Windows encryptor source, a decryptor, a loader, and evidence of development toward an MBR locker. The leaked builder reportedly depended on an affiliate panel, previously hosted at 31.222.238[.]208, to retrieve build-time data, and the leaked panel code included an api.php endpoint. The public leak did not reportedly include the Linux builder or databases. The operators stated they planned to return with a new version branded VanHelsing 2.0.
Detection-related reporting describes YARA coverage for VanHelsing based on code sequences associated with encryption, lateral movement, and shadow copy deletion, and multiple analytics link the ransomware to shadow copy deletion behavior.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Discovery
1 technique
Discovery
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as a ransomware collective that prohibits attacks on Russian-linked targets.
Ransomware-as-a-service group referenced as enforcing a rule against targeting Russian and CIS entities.
Associated Analytic Story Cactus Ransomware DarkGate Malware DarkSide Ransomware Ransomware Revil Ransomware VanHelsing Ransomware
Named ransomware family referenced in associated analytic stories connected to shadow copy manipulation behavior.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.