Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

VanHelsing RaaS: An Expanding Ransomware-as-a-Service Model

Pietro Melillo : 22 March 2025 08:54

The ransomware threat landscape is constantly evolving, with increasingly structured groups adopting sophisticated strategies to maximize profits. VanHelsing is a new player positioning itself in the Ransomware-as-a-Service (RaaS) market, a model that enables even cybercriminals with limited expertise to conduct advanced attacks using an automated platform.

Following the February 23, 2025 announcement on an underground forum regarding the VanHelsing RaaS affiliate program, the ransomware group has officially published its first possible victim on its Data Leak Site (DLS).

Less than a month after its launch, the appearance of the first compromised organization confirms that VanHelsing is now actively operating. Although the DLS remains sparse, the emergence of a victim suggests that affiliates are already distributing the ransomware and that the number of attacks could escalate quickly.

1. VanHelsing RaaS: A Structured Program for Affiliates

Iscriviti GRATIS alla RHC Conference 2025 (Venerdì 9 maggio 2025)

Il giorno Venerdì 9 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà la RHC Conference 2025. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico.

La giornata inizierà alle 9:30 (con accoglienza dalle 9:00) e sarà interamente dedicata alla RHC Conference, un evento di spicco nel campo della sicurezza informatica. Il programma prevede un panel con ospiti istituzionali che si terrà all’inizio della conferenza. Successivamente, numerosi interventi di esperti nazionali nel campo della sicurezza informatica si susseguiranno sul palco fino alle ore 19:00 circa, quando termineranno le sessioni. Prima del termine della conferenza, ci sarà la premiazione dei vincitori della Capture The Flag prevista per le ore 18:00.
Potete iscrivervi gratuitamente all'evento utilizzando questo link.

Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765


Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

The February 23 announcement revealed significant details about how the VanHelsing RaaS program operates. It stands out for its selective recruitment strategy and advanced tools.

Key Features of the Affiliate Program:

  • Invitation-only access → Affiliates with an established reputation in cybercrime can join for free.
  • Entry fee for new affiliates → Those without a prior reputation must pay $5,000 to access the platform.
  • Advanced tools → Access to a web panel, private chat system, encryption key locker, data exfiltration tools, and automated ransomware attack functionalities.
  • Revenue sharing → Affiliates keep 80% of the ransom, while VanHelsing retains 20%.
  • Blockchain escrow system → Funds are released after two confirmations, reducing the risk of fraud between affiliates and developers.
  • Advanced encryption → Utilization of high-level encryption protocols to make the ransomware resistant to countermeasures.
  • Full automation → The ransomware is entirely managed through the control panel, eliminating operational errors and reducing the need for manual intervention.

2. The First Possible Victim Published on the DLS

The first potential victim of VanHelsing RaaS operates in the public sector, with administrative functions. This suggests that the group may be targeting government entities, municipalities, or public services, sectors often vulnerable to ransomware.

The attack appears to follow a double extortion strategy, featuring a 10-day countdown before exfiltrated data is published. This implies that VanHelsing is likely negotiating a ransom with the affected entity, attempting to maximize profits before making any sensitive information public.

3. Anatomy of the DLS

At present, VanHelsing’s DLS contains only one possible victim, which could indicate several scenarios:

  1. The group is testing its infrastructure before launching large-scale attacks.
  2. Other victims are in negotiation, and have not yet been listed on the DLS.
  3. Affiliates are still adopting the ransomware, meaning the number of attacks could increase exponentially in the coming weeks.

Experience with other RaaS groups shows that the number of victims tends to grow rapidly as more cybercriminals start using the service.

4. VanHelsing Chat: A Private Communication Platform

Another key element of VanHelsing is its private chat portal, accessible only via a Session ID. This suggests that the group manages ransom negotiations directly with victims and communicates with affiliates without relying on public platforms like Telegram or underground forums.

Advantages of a Private Chat System:

  • Enhanced security → Reduces the risk of infiltration by law enforcement or cybersecurity researchers.
  • Direct ransom request management → Victims can communicate directly with VanHelsing’s team or the affiliate responsible for the attack.
  • Affiliate coordination → RaaS members can receive technical support and operational updates in real-time.

This infrastructure indicates that VanHelsing operates as a centralized and professional ransomware group, distinguishing itself from less organized actors.

5. Conclusions

The emergence of VanHelsing RaaS represents another evolution in the ransomware model, with a highly scalable infrastructure and advanced tools for affiliates. Their focus on automation and operational security suggests that we may see an increase in attacks in the coming months, with significant impacts on businesses and critical infrastructure.

Although the DLS remains minimal for now, the appearance of the first victim in less than a month confirms that the group is already executing real-world attacks. If VanHelsing’s RaaS model gains traction among cybercriminals, the number of attacks could rise rapidly, making it a serious emerging threat in the ransomware ecosystem.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"
Categories
Banner

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.