🇷🇺 RU

VanHelsing

Also known asVanHelsing

VanHelsing is a ransomware-as-a-service (RaaS) operation first promoted on cybercrime platforms on March 7, 2025. It is described as a multi-platform ransomware operation targeting Windows, Linux, BSD, ARM, and ESXi systems. Reporting in the provided content states that VanHelsing expressly prohibits affiliates from targeting organizations in Russia and other CIS countries. The group has publicly claimed victims including the City of Belleville, ATOS Racks, MEDS Pharmacy, Studio Vallone, Compumedics Limited, CAS-CHILE, Alert Enterprise, and the Law Offices of David Kohn. One report cited in the content states Ransomware.live had identified eight known victims. The content also states that the VanHelsing operation published source code for its affiliate panel, data leak blog, and Windows encryptor builder after a former developer using the alias "th30c0der" allegedly attempted to sell the code on the RAMP cybercrime forum for $10,000. According to the reporting summarized in the content, the leaked materials included source code for the Windows encryptor, a decryptor, and a loader, and indicated development work toward an MBR locker. The operators characterized the released materials as "old" source code and stated they planned to return with an updated version branded "VanHelsing 2.0." Aliases directly reflected in the content: vanhelsing.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

Jun 2, 2026

'Dumbass' criminal breaks the 'first rule of ransomware club'

Ransomware-as-a-service group referenced as enforcing a no-CIS targeting rule for members and affiliates.

blackfogNews

Sep 10, 2025

Ongoing: New Ransomware Gangs in 2025

Named as a new ransomware variant/gang emerging in 2024 and associated with victim claims posted in March 2024.

optiv blogNews

Jul 3, 2025

First Quarter 2025 Ransomware Trends

New multi-platform RaaS promoted in March 2025; targets Windows/Linux/BSD/ARM/ESXi; offers affiliate panel automation and support; forbids targeting CIS (noted as common among Russian/pro-Russian cybercriminal groups).

the hacker newsNews

Jun 11, 2025

Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Internal conflict led to source-code leak (including TOR keys, ransomware source, admin panel, chat system, file server, and blog database) on the RAMP forum—likely increasing copycat risk and enabling defenders to derive detections.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.