VanHelsing Ransomware Expands with Multi-Platform Attacks and $500,000 Demands

The rapidly evolving ransomware-as-a-service operation has claimed three victims, leveraging advanced encryption and affiliate-driven tactics while threatening to leak stolen data.

• VanHelsing ransomware, launched on March 7, 2025, targets Windows, Linux, BSD, ARM, and ESXi systems, significantly broadening its reach.
• Three victims have been identified so far, including two U.S.-based technology companies and a city in Texas, with ransom demands reaching $500,000.
• The operation uses sophisticated encryption techniques like ChaCha20 and Curve25519, while also employing stealth modes to evade detection.
• Affiliates receive 80% of ransom payments, with the remaining 20% going to the operators, who provide operational automation and direct support.
• Despite code flaws, VanHelsing continues to evolve rapidly, recruiting affiliates and threatening to leak stolen data if ransom demands are unmet.

3 Articles

BleepingComputer The Register Forbes