do son 
VanHelsing Control Panel | Image: Check Point
In the ever-evolving landscape of cybercrime, a new and rapidly growing Ransomware-as-a-Service (RaaS) program has emerged: VanHelsingRaaS. Launched on March 7, 2025, this program is already making significant waves in the cybercrime world.
VanHelsingRaaS is a RaaS affiliate program that allows a wide range of participants, from experienced hackers to newcomers, to engage in ransomware attacks. The program operates on a revenue-sharing model, where affiliates keep 80% of the ransom payments, while the core operators earn 20%. To get started, new affiliates are required to pay a $5,000 deposit to gain access to the program.
One of the most notable aspects of VanHelsingRaaS is its flexibility. While Check Point Research has discovered two VanHelsing ransomware variants targeting Windows, the program advertises offerings “targeting Linux, BSD, ARM, and ESXi systems“. This multi-platform support significantly broadens the reach of the ransomware, enabling it to target a wide variety of systems.
The program provides affiliates with an intuitive control panel that simplifies the process of operating ransomware attacks. This lowers the barrier to entry for less experienced cybercriminals and allows for more efficient execution of attacks. The control panel offers a range of features, including:
- Responsive design for desktop and mobile use.
- Automation to avoid human error.
- Regular penetration tests to ensure reliability.
- Direct support from the media and development team.
The VanHelsing ransomware is under active development, with Check Point Research obtaining two variants compiled just five days apart. The newest variant demonstrates significant updates, highlighting the fast-paced evolution of this ransomware.
In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims, demanding large ransom payments for decryption and the deletion of stolen data. In one instance, the attackers demanded $500,000 to be paid to a specified Bitcoin wallet.
The VanHelsing ransomware, first discovered on March 16, 2025, is written in C++. It employs various command-line arguments to control the encryption process, such as targeting specific drives or directories.
The ransomware also has the capability to delete shadow copies, a common tactic used by ransomware to prevent victims from restoring their files without paying the ransom.
To avoid detection, the ransomware includes a “Silent” command-line argument. When this flag is specified, the ransomware splits its functionality into two parts:
- Normal Execution: Enumerates folders, enumerates files, encrypts files.
- Silent Mode: Skips file renaming during the initial encryption process and renames files with the ransomware extension after all files have been encrypted.
This two-stage process in Silent mode is primarily used to evade detection and bypass security measures.
VanHelsing RaaS represents a significant threat in the cybercrime world. Its accessibility, multi-platform support, and rapid development cycle make it a potent tool for cybercriminals. The program’s rapid growth and early success underscore the evolving nature of ransomware threats and the importance of robust cybersecurity measures.
