Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

VanHelsing RaaS: An Expanding Ransomware-as-a-Service Model

Pietro Melillo : 22 March 2025 08:54

The ransomware threat landscape is constantly evolving, with increasingly structured groups adopting sophisticated strategies to maximize profits. VanHelsing is a new player positioning itself in the Ransomware-as-a-Service (RaaS) market, a model that enables even cybercriminals with limited expertise to conduct advanced attacks using an automated platform.

Following the February 23, 2025 announcement on an underground forum regarding the VanHelsing RaaS affiliate program, the ransomware group has officially published its first possible victim on its Data Leak Site (DLS).

Less than a month after its launch, the appearance of the first compromised organization confirms that VanHelsing is now actively operating. Although the DLS remains sparse, the emergence of a victim suggests that affiliates are already distributing the ransomware and that the number of attacks could escalate quickly.

1. VanHelsing RaaS: A Structured Program for Affiliates

Iscriviti GRATIS ai WorkShop Hands-On della RHC Conference 2025 (Giovedì 8 maggio 2025)

Il giorno giovedì 8 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terranno i workshop "hands-on", creati per far avvicinare i ragazzi (o persone di qualsiasi età) alla sicurezza informatica e alla tecnologia. Questo anno i workshop saranno:

  • Creare Un Sistema Ai Di Visual Object Tracking (Hands on)
  • Social Engineering 2.0: Alla Scoperta Delle Minacce DeepFake
  • Doxing Con Langflow: Stiamo Costruendo La Fine Della Privacy?
  • Come Hackerare Un Sito WordPress (Hands on)
  • Il Cyberbullismo Tra Virtuale E Reale
  • Come Entrare Nel Dark Web In Sicurezza (Hands on)
    •
    Potete iscrivervi gratuitamente all'evento, che è stato creato per poter ispirare i ragazzi verso la sicurezza informatica e la tecnologia.
    Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765


    Supporta RHC attraverso:


    Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

    The February 23 announcement revealed significant details about how the VanHelsing RaaS program operates. It stands out for its selective recruitment strategy and advanced tools.

    Key Features of the Affiliate Program:

    • Invitation-only access → Affiliates with an established reputation in cybercrime can join for free.
    • Entry fee for new affiliates → Those without a prior reputation must pay $5,000 to access the platform.
    • Advanced tools → Access to a web panel, private chat system, encryption key locker, data exfiltration tools, and automated ransomware attack functionalities.
    • Revenue sharing → Affiliates keep 80% of the ransom, while VanHelsing retains 20%.
    • Blockchain escrow system → Funds are released after two confirmations, reducing the risk of fraud between affiliates and developers.
    • Advanced encryption → Utilization of high-level encryption protocols to make the ransomware resistant to countermeasures.
    • Full automation → The ransomware is entirely managed through the control panel, eliminating operational errors and reducing the need for manual intervention.

    2. The First Possible Victim Published on the DLS

    The first potential victim of VanHelsing RaaS operates in the public sector, with administrative functions. This suggests that the group may be targeting government entities, municipalities, or public services, sectors often vulnerable to ransomware.

    The attack appears to follow a double extortion strategy, featuring a 10-day countdown before exfiltrated data is published. This implies that VanHelsing is likely negotiating a ransom with the affected entity, attempting to maximize profits before making any sensitive information public.

    3. Anatomy of the DLS

    At present, VanHelsing’s DLS contains only one possible victim, which could indicate several scenarios:

    1. The group is testing its infrastructure before launching large-scale attacks.
    2. Other victims are in negotiation, and have not yet been listed on the DLS.
    3. Affiliates are still adopting the ransomware, meaning the number of attacks could increase exponentially in the coming weeks.

    Experience with other RaaS groups shows that the number of victims tends to grow rapidly as more cybercriminals start using the service.

    4. VanHelsing Chat: A Private Communication Platform

    Another key element of VanHelsing is its private chat portal, accessible only via a Session ID. This suggests that the group manages ransom negotiations directly with victims and communicates with affiliates without relying on public platforms like Telegram or underground forums.

    Advantages of a Private Chat System:

    • Enhanced security → Reduces the risk of infiltration by law enforcement or cybersecurity researchers.
    • Direct ransom request management → Victims can communicate directly with VanHelsing’s team or the affiliate responsible for the attack.
    • Affiliate coordination → RaaS members can receive technical support and operational updates in real-time.

    This infrastructure indicates that VanHelsing operates as a centralized and professional ransomware group, distinguishing itself from less organized actors.

    5. Conclusions

    The emergence of VanHelsing RaaS represents another evolution in the ransomware model, with a highly scalable infrastructure and advanced tools for affiliates. Their focus on automation and operational security suggests that we may see an increase in attacks in the coming months, with significant impacts on businesses and critical infrastructure.

    Although the DLS remains minimal for now, the appearance of the first victim in less than a month confirms that the group is already executing real-world attacks. If VanHelsing’s RaaS model gains traction among cybercriminals, the number of attacks could rise rapidly, making it a serious emerging threat in the ransomware ecosystem.

    Pietro Melillo
    Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"
    Categories
    Banner

    Editorial board : [email protected]

    Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
    Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.