VanHelsing: Inside the Rise of a Multi‑Platform RaaS Threat Actor

VanHelsing is a commercially oriented Ransomware-as-a-Service that supports Windows (x86 and ARM), Linux, and VMware ESXi, enabling affiliates to conduct enterprise-targeted attacks; a leaked ransomware builder in late 2024 accelerated distribution and led to forks and increased use by lower-skilled actors. The report details affiliate-driven initial access methods (credential abuse, RDP/VPN/SSH exploitation, access brokers), lateral movement techniques, multi-threaded and VM-aware encryption, double-extortion practices, observed engineering improvements, and recommended mitigations for virtualization and credential hygiene.