VanHelsing RaaS: An Expanding Ransomware-as-a-Service Model

The ransomware threat landscape is constantly evolving, with increasingly structured groups adopting sophisticated strategies to maximize profits. VanHelsing is a new player positioning itself in the Ransomware-as-a-Service (RaaS) market, a model that enables even cybercriminals with limited expertise to conduct advanced attacks using an automated platform.

Following the February 23, 2025 announcement on an underground forum regarding the VanHelsing RaaS affiliate program, the ransomware group has officially published its first possible victim on its Data Leak Site (DLS).

Less than a month after its launch, the appearance of the first compromised organization confirms that VanHelsing is now actively operating. Although the DLS remains sparse, the emergence of a victim suggests that affiliates are already distributing the ransomware and that the number of attacks could escalate quickly.

1. VanHelsing RaaS: A Structured Program for Affiliates

The February 23 announcement revealed significant details about how the VanHelsing RaaS program operates. It stands out for its selective recruitment strategy and advanced tools.

Key Features of the Affiliate Program:

• Invitation-only access → Affiliates with an established reputation in cybercrime can join for free.
• Entry fee for new affiliates → Those without a prior reputation must pay $5,000 to access the platform.
• Advanced tools → Access to a web panel, private chat system, encryption key locker, data exfiltration tools, and automated ransomware attack functionalities.
• Revenue sharing → Affiliates keep 80% of the ransom, while VanHelsing retains 20%.
• Blockchain escrow system → Funds are released after two confirmations, reducing the risk of fraud between affiliates and developers.
• Advanced encryption → Utilization of high-level encryption protocols to make the ransomware resistant to countermeasures.
• Full automation → The ransomware is entirely managed through the control panel, eliminating operational errors and reducing the need for manual intervention.

2. The First Possible Victim Published on the DLS

The first potential victim of VanHelsing RaaS operates in the public sector, with administrative functions. This suggests that the group may be targeting government entities, municipalities, or public services, sectors often vulnerable to ransomware.

The attack appears to follow a double extortion strategy, featuring a 10-day countdown before exfiltrated data is published. This implies that VanHelsing is likely negotiating a ransom with the affected entity, attempting to maximize profits before making any sensitive information public.

3. Anatomy of the DLS

At present, VanHelsing’s DLS contains only one possible victim, which could indicate several scenarios:

1. The group is testing its infrastructure before launching large-scale attacks.
2. Other victims are in negotiation, and have not yet been listed on the DLS.
3. Affiliates are still adopting the ransomware, meaning the number of attacks could increase exponentially in the coming weeks.

Experience with other RaaS groups shows that the number of victims tends to grow rapidly as more cybercriminals start using the service.

4. VanHelsing Chat: A Private Communication Platform

Another key element of VanHelsing is its private chat portal, accessible only via a Session ID. This suggests that the group manages ransom negotiations directly with victims and communicates with affiliates without relying on public platforms like Telegram or underground forums.

Advantages of a Private Chat System:

• Enhanced security → Reduces the risk of infiltration by law enforcement or cybersecurity researchers.
• Direct ransom request management → Victims can communicate directly with VanHelsing’s team or the affiliate responsible for the attack.
• Affiliate coordination → RaaS members can receive technical support and operational updates in real-time.

This infrastructure indicates that VanHelsing operates as a centralized and professional ransomware group, distinguishing itself from less organized actors.

5. Conclusions

The emergence of VanHelsing RaaS represents another evolution in the ransomware model, with a highly scalable infrastructure and advanced tools for affiliates. Their focus on automation and operational security suggests that we may see an increase in attacks in the coming months, with significant impacts on businesses and critical infrastructure.

Although the DLS remains minimal for now, the appearance of the first victim in less than a month confirms that the group is already executing real-world attacks. If VanHelsing’s RaaS model gains traction among cybercriminals, the number of attacks could rise rapidly, making it a serious emerging threat in the ransomware ecosystem.

Pietro Melillo

Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"

Areas of Expertise: Cyber Threat Intelligence, Ransomware, National Security, Training