A newly emerging ransomware strain is turning heads in the cybersecurity world for its sophistication, scale and ambition. Known as VanHelsing, this ransomware as a service (RaaS) operation is designed to target a wide array of platforms, from traditional Windows environments to Linux, ARM-based systems and even virtualised infrastructure like VMware ESXi.
For Australian businesses reliant on hybrid or virtual infrastructure, VanHelsing represents a new breed of ransomware threat that cannot be ignored.
First observed in early 2025, VanHelsing is a commercially run RaaS platform. Threat actors, known as affiliates, can join the operation by paying a deposit, after which they are given access to a prebuilt ransomware kit. Ransom payments are then split between the affiliate (80%) and the core developers (20%).
This model significantly lowers the barrier to entry for cybercriminals and allows the operators to focus on maintaining and improving the malware, while affiliates handle the actual attacks.
VanHelsing stands out from typical ransomware campaigns for several reasons:
Multi-platform targeting
It is capable of encrypting files on Windows, Linux, BSD, ARM and VMware ESXi systems.
Stealthy persistence
It uses scheduled tasks, registry modifications and anti-detection techniques to remain hidden.
Double extortion tactics
Victims are not only locked out of their data but also threatened with public leaks if the ransom is not paid.
Custom encryption routines
The ransomware uses advanced encryption methods that make recovery without a key nearly impossible.
Like many modern ransomware operations, VanHelsing relies heavily on the dark web to operate:
The entire ecosystem, from recruitment to extortion, is deeply embedded in dark web infrastructure, making dark web monitoring a critical capability for early detection and mitigation.
VanHelsing affiliates typically gain access to victim networks through:
Once inside, the ransomware rapidly encrypts files and drops a ransom note, demanding payment in cryptocurrency. Demands can reach up to $500,000, depending on the size and perceived value of the target.
For Australian organisations operating in healthcare, finance, critical infrastructure or cloud services, the ability of VanHelsing to impact virtual machines and containers is especially concerning.
Like many modern ransomware operations, VanHelsing relies heavily on the dark web to operate:
The entire ecosystem, from recruitment to extortion, is deeply embedded in dark web infrastructure. This makes dark web monitoring a critical capability for early detection and mitigation.
While no single solution guarantees protection from ransomware, a layered and proactive approach significantly reduces risk.
VanHelsing affiliates often use credentials bought or leaked on the dark web. Oko, Rivanorth’s dark web monitoring tool, can detect your organisation’s data appearing in underground marketplaces, allowing you to act before an attack begins.
Many ransomware groups exploit known vulnerabilities. Keep all systems, particularly ESXi hosts and Linux servers, up to date with the latest security patches.
Maintain offline and immutable backups. Test your recovery plans regularly to ensure business continuity in the event of an attack.
Use multi-factor authentication, restrict administrative privileges and separate critical systems from general network traffic.
Human error remains the most common attack vector. Educate staff on phishing red flags and simulate attacks to improve resilience.
VanHelsing ransomware thrives on dark web ecosystems, from access brokering to leak sites. With Oko, you can monitor:
Oko delivers real-time alerts, helping you shut down threats before encryption begins. This kind of proactive visibility is vital in a landscape where traditional firewalls and antivirus tools often come too late.
VanHelsing ransomware signals a turning point in ransomware evolution. Its cross-platform nature, professional operation and use of dark web infrastructure pose a serious challenge to even well-prepared organisations.
For Australian businesses, being reactive is no longer an option. With dark web monitoring, strong security hygiene and the right tooling in place, you can stay one step ahead of today’s most dangerous cyber threats.