VanHelsing Ransomware RaaS Expands Reach to Windows, Linux, BSD, ARM and ESXi Environments

A newly identified ransomware operation, VanHelsing, has rapidly gained traction since its initial observed activity on March 7, 2025, disrupting targets with a bold “Ransomware-as-a-Service” (RaaS) approach.

Unlike traditional one-off ransomware campaigns, VanHelsing operates as a commercialized enterprise, offering affiliates a turnkey locker platform for a $5,000 deposit and allowing them to retain 80% of collected ransoms.

This model incentivizes rapid scaling, driving greater attack frequency and reach. Notably, VanHelsing supports a wide range of operating systems, including Windows, Linux, BSD, ARM, and ESXi virtualization environments, dramatically expanding its target pool beyond the typical Windows focus.

VanHelsing has already claimed at least three successful breaches within two weeks of its debut, including negotiations with ransom demands reportedly reaching $500,000. Affiliates control their attacks using an intuitive panel.

They can customize every element of an operation using an extensive set of command-line parameters, such as targeting specific drives, enabling unobtrusive “silent” mode execution, and activating lateral movement features.

The platform’s only stated restriction is a prohibition on targeting entities in the Commonwealth of Independent States (CIS).

Technical Dissection: Multistage Execution and Sophisticated Crypto

At its core, the VanHelsing ransomware is a C++ binary built for resilience and flexibility. Upon execution, it enforces a mutex (“GlobalVanHelsing”) to prevent concurrent encryption processes, though attackers can bypass this safeguard using the –Force parameter.

Process priority is typically set to high for rapid file encryption, with an option to disable it (–no-priority) for stealthier infiltration.

VanHelsing’s cryptography combines speed and security for irreversible data loss. Each targeted file receives unique random keys and nonces, encrypted with an embedded Curve25519 public key. Actual file data is encrypted using the ChaCha20 stream cipher.

Large files, such as database assets, are encrypted only to 30% for efficiency, while smaller files are fully encrypted in chunks of 1 MB. The ransomware stores hex-encoded keys and nonces alongside the encrypted file chunks, making unauthorized recovery virtually impossible.

A standout feature, the “–Silent” mode, splits attacks into two phases: one for heavy encryption and another for renaming files (appending .vanhelsing).

This evasion tactic diminishes the likelihood of detection by endpoint security tools that monitor suspicious simultaneous encryption and renaming events.

Lateral Movement, Evasion, and Mitigation Strategies

VanHelsing’s network propagation capabilities pose a severe risk. The ransomware scans local networks for SMB servers, enumerates shared drives, avoids critical domain shares such as NETLOGON and sysvol, and spreads via a bundled psexec.exe utility. Affiliates can execute the locker remotely across multiple systems to rapidly spread lateral infection.

To prevent recovery, VanHelsing aggressively deletes Windows Volume Shadow Copies using WMI queries and process chains (cmd.exe spawning wmic.exe with shadowcopy delete commands), a hallmark of advanced ransomware tactics.

Mitigation measures include rigorous backup practices (offline and segmented storage), robust network segmentation to limit lateral spread, and high-fidelity detection rules that cover command-line and network behaviors.

Simulating VanHelsing and other emerging threats using platforms like Picus Security Validation can help organizations test and enhance their defenses against this growing ransomware menace.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post VanHelsing Ransomware RaaS Expands Reach to Windows, Linux, BSD, ARM and ESXi Environments appeared first on Cyber Security News.