Cross-Platform VanHelsing Ransomware Targets Windows, Linux and VMware ESXi

Researchers have identified a new ransomware-as-a-service (RaaS) group called VanHelsing, which launched on March 7 and has already targeted three organizations, demanding $500,000 from each.  

Despite its cross-platform design supporting Windows, Linux, VMware ESXi, BSD, and Arm-based systems, only Windows machines have been infected so far. Researchers believe VanHelsing is an original ransomware strain, not a rebrand, The Register reports.

Affiliates pay a $5,000 deposit to join the program unless they have an established reputation. They receive 80% of ransom payments, while the remaining 20% goes to the operators. Affiliates are responsible for infection methods, such as malicious emails or downloads.

The VanHelsing program includes a control panel to simplify infections, suggesting it targets lower-skilled cybercriminals. Development is ongoing, with rapid updates and incomplete features.  

Researchers analyzed two different Windows samples compiled within five days of each other. The group prohibits attacks in Russia and other Commonwealth of Independent States countries—a common rule among similar gangs.  

Researchers noted fears among affiliates about being co-opted by the Russian government, referencing similar dynamics in groups like Lockbit. This aligns with the broader observation that the Russian government may tolerate or even collaborate with ransomware groups, a trend also seen in China.

Takeaway: Linux systems are foundational to global infrastructure, powering everything from web servers and IoT devices to government, financial, and industrial networks.  

While ransomware groups are increasingly developing Linux-targeting variants, recent incidents suggest that many attacks remain concentrated on Windows environments—for now.  

The newly identified VanHelsing ransomware-as-a-service operation advertises cross-platform capabilities, including support for Linux and VMware ESXi, yet all known victims so far have been Windows-based.

However, the push toward cross-platform ransomware payloads is unmistakable. By expanding their addressable target range, ransomware operators can increase the potential impact and profitability of their campaigns.  

Linux systems, due to their central role in enterprise environments and their “always on” nature, are particularly attractive. A successful attack can grant access to an organization’s most critical systems, translating to larger ransom demands and wider operational disruption.

VanHelsing’s rapid development and accessible affiliate model show how these threats are becoming easier to deploy—even by less-skilled actors. As more ransomware operations adopt cross-platform strategies, the risk to Linux environments will continue to grow.  

The time to harden defenses is now, before these groups shift their focus and unleash attacks that could surpass the scale of any seen to date.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.