• VanHelsing RaaS is a burgeoning ransomware-as-a-service (RaaS) platform that launched on March 7, 2025. Participants, from seasoned hackers to beginners, can join with a $5,000 deposit. Affiliates retain 80% of ransom payments, while core operators take 20%. The only stipulation is to avoid targeting the Commonwealth of Independent States (CIS).
  • Check Point Research discovered two variants of the VanHelsing ransomware targeting Windows. However, as mentioned in its advertisement, the ransomware-as-a-service (RaaS) also offers additional functionalities that target Linux, BSD, ARM, and ESXi systems.
  • The program provides an intuitive control panel that simplifies operating ransomware attacks.
  • Check Point Research obtained two variants of the VanHelsing Ransomware, compiled just five days apart. The newest variant shows significant updates, highlighting the fast-paced evolution of this ransomware.
  • Less than two weeks since its emergence in the cyber crime community, this ransomware operation has already targeted three known victims, demanding significant ransom payments for decryption and the deletion of stolen data. During negotiations, the attackers requested a payment of $500,000 to be sent to a specified Bitcoin wallet.

VanHelsing RaaS, a new ransomware-as-a-service (RaaS), was launched on March 7, 2025, and its rapid growth is raising alarms across the cyber security community. Within just two weeks of its introduction, VanHelsingRaaS has already managed to infect three known victims and create a more sophisticated variant, highlighting its potential to become a major player in the ransomware game.

For an in-depth understanding of VanHelsing RaaS, read Check Point Research’s comprehensive report here.

What is VanHelsing RaaS?

VanHelsingRaaS operates on a model that allows various participants—from seasoned hackers to newcomers—to take part in launching ransomware attacks. To join the affiliate program, participants are required to make a $5,000 deposit. Once in, affiliates can reap the rewards, as they keep a whopping 80% of the ransom payments, with only 20% going to the core operators. However, there is one imperative rule: affiliates are strictly prohibited from targeting systems in the Commonwealth of Independent States (CIS).

Uniquely, the multi-platform ransomware supports various operating systems, including Windows, Linux, BSD, ARM, and ESXi systems. The broad compatibility significantly enhances its reach, making it a tempting option for affiliates seeking to capitalize on cyber extortion.

The Technology Behind VanHelsingRaaS

Check Point Research has identified two variants of the VanHelsing ransomware specifically targeting Windows systems. However, the program’s representatives boast a more extensive range of capabilities through an intuitive control panel designed to simplify the execution of ransomware attacks. Recently obtained samples indicate that the ransomware is being actively updated, with the latest version introducing new command-line arguments and features that reflect ongoing development.

The sophisticated nature of this ransomware, coupled with its user-friendly management tools, makes it appealing to both veteran hackers and those new to the cyber crime scene. The recent updates showcase its rapid evolution, further underlining the potential risks it poses.

Impact and Ransom Demands

VanHelsingRaaS has already made headlines by demanding substantial ransom payments from its victims. Reports indicate that during negotiations, affiliates have required as much as $500,000 to be transferred to a designated Bitcoin wallet. With the ability to encrypt files and demand exorbitant fees for decryption, its operational model is not only alarming for potential victims but also lucrative for those involved in the program.

Protecting your Organization

As VanHelsingRaaS continues to grow and evolve, its impact on the cyber security landscape becomes increasingly significant. The combination of its enticing affiliate program, advanced technology, and broad system compatibility positions it as a formidable threat.

Check Point Threat Emulation and Harmony Endpoint provide strong protection against various threats by identifying malicious behavior before it affects networks. Threat Emulation detects unknown threats and zero-day vulnerabilities, while Harmony Endpoint allows users to access a secure version of files quickly, as the original files are examined thoroughly. This proactive strategy enhances security by ensuring quick access to safe content and effectively identifying and managing potential threats, preserving network integrity.

For an in-depth understanding of VanHelsing RaaS, read Check Point Research’s comprehensive report here.

Check Point Protections
  • Ransomware.Win.FilesMovedOrOverwrites.A
  • Ransomware.Win.TouchTrapFiles.A
  • TS_Ransomware.Win.FilesMovedOrOverwrites.A
  • Trojan.Win.Krap.gl.D
  • Trojan.Wins.Imphash.taim.XT
  • Trojan.Wins.PDB.tapd.ON

You may also like