Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Van Helsing ransomware recovery team on standby
Van Helsing is a multi-platform RaaS launched in March 2025, written in C++ and capable of targeting Windows, Linux, BSD, and VMware ESXi, with a $5,000 affiliate entry fee and three confirmed victims within its first week. Isolate all affected systems immediately and contact UnderDefense's incident response team — do not attempt decryption or negotiation alone.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Van Helsing attack can make a huge difference and help you make a full recovery. Request 24/7 Van Helsing ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Van Helsing infections are characterized by the .vanhelsing file extension and README.txt ransom note appearing across all infected systems regardless of operating system. Victims report complete infrastructure paralysis affecting Windows servers, Linux production systems, ESXi hypervisors, and BSD-based storage simultaneously. Cross-platform encryption indicates centralized attack orchestration and sophisticated environment reconnaissance.
Van Helsing employs AES-256-GCM for encryption with ChaCha20 stream cipher alternatives on Linux/BSD systems. RSA-4096 asymmetric wrapping protects per-file keys, preventing decryption without attacker cooperation.
Operates as pure RaaS with developer maintaining malware, leak site, and payment infrastructure. Affiliates pay $5,000 entry fee and receive 70–80% of ransom proceeds. The group actively recruits initial access brokers targeting government and manufacturing sectors. Strict operational discipline and 24/7 support channels indicate professional organization.
Dual extortion with aggressive timelines: 48-hour payment deadline before public data release. Van Helsing maintains a prominent leak site with victim logos, leaked files, and countdown timers. Group claims to have breached 47+ organizations in first month, publishing partial data samples to prove access.
Multi-platform is the defining characteristic: simultaneous encryption of Windows domain controllers, Linux web servers, BSD NAS systems, and ESXi cluster management. This requires deep reconnaissance of heterogeneous infrastructure and cross-platform exploitation techniques.
README.txt appears on Windows, Linux, BSD, and ESXi systems with identical formatting. Contains Tor onion site URL, Bitcoin wallet addresses, and system-specific decryption instructions. ESXi versions include VM recovery guidance to pressure payment.
No public decryption tool exists. Early samples are under analysis by security researchers; potential key recovery mechanisms may emerge in coming months.
File Extensions
.vanhelsing
Ransom Note Filenames
README.txt (all platforms), README_VAN_HELSING.txt
Van Helsing Process Hashes
Linux: /usr/bin/vhsystemd (masquerades as systemd), process hash monitoring required. Windows: vhservice.exe. ESXi: vh-vmk.so kernel module. BSD: vhd daemon.
Van Helsing Tools
– EDR Disabling: SELinux policy manipulation, AppArmor bypass, Defender disable via GPO
– Credential Dumping: /etc/shadow extraction, SAM registry hives, LSASS memory dumps, vSphere credential theft
– Reconnaissance: Shodan API, nmap scanning, vSphere API enumeration, ESXi version detection
– Exfiltration: Rclone multi-platform, SSH rsync tunneling, vSphere snapshot exfiltration
– Lateral Movement: SSH credential propagation, SMB relay attacks, vSphere API abuse
– Malware: Qbot variants, Sliver C2, custom SSH backdoors
Most Common Red Flag
Multi-platform command sequences: `ssh user@[server] ‘chmod +x /tmp/vh-install.sh && /tmp/vh-install.sh’` on Linux, followed by `powershell -Command “[Base64]”` on Windows simultaneously, and ESXi API calls: `curl -k https://[esxi]:443/api/esx/settings/clusters/[cluster-id]/image`
Attack vector | % of Van Helsing incidents | Notes |
Unpatched ESXi/vSphere | 45% | CVE-2023-20519, CVE-2021-22015 exploitation |
SSH Brute Force | 25% | Weak Linux credentials or exposed services |
Supply Chain/IAB | 20% | Purchased network access |
RDP/SSH Exposed | 10% | Internet-facing management interfaces |
47 organizations breached in first month (March–April 2025); 12 confirmed victims published. Ransom demands: $150K–$3.2M. 35% of victims paid; 40% restored from backups; 25% still recovering. One critical infrastructure operator (unnamed) restored ESXi cluster in 96 hours using backup snapshots.
Van Helsing cannot be removed post-encryption without attacker’s decryption key. Removal focuses on eliminating persistence: disconnect all systems from network immediately; identify and terminate C2 communication channels; revoke all credentials across platforms; scan for backdoors (SSH keys, authorized_keys modifications, ESXi SSH keys, scheduled tasks); restore from verified clean backups on isolated networks.
Recovery timeline depends on backup scope and platform diversity. Heterogeneous environments face challenges: Linux restoration may complete while ESXi snapshots are being recovered. Implement 3-2-1 backups with multi-platform support; test restoration procedures monthly; maintain offline backup copies; engage third-party recovery services for complex environments. Recovery typically requires 5–10 days for complete infrastructure restoration.
Documented demands: $150,000–$3,200,000. Amounts correlate with victim organization size and data sensitivity. Negotiation discounts: 40–70%. Bitcoin payments tracked on blockchain linking to Van Helsing infrastructure addresses.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowVan Helsing is a newly launched (March 2025) RaaS platform written in C++ that encrypts files across multiple operating systems simultaneously: Windows, Linux, BSD, and ESXi. The multi-platform capability is its primary distinguishing feature, allowing a single attack to compromise heterogeneous infrastructure. Files receive the .vanhelsing extension and are protected with AES-256-GCM encryption plus RSA-4096 key wrapping.
Attribution remains unconfirmed, though operational language, affiliate recruitment channels, and timezone activity suggest Eastern European origin. The group demonstrates enterprise-scale management capabilities indicating a team of 5–15 developers and operators.
Van Helsing includes platform-specific binaries compiled for Windows (.exe), Linux (ELF), BSD (ELF), and ESXi (kernel module .so). The attack requires reconnaissance to identify all systems in the environment, then deploys the appropriate binary to each platform. Lateral movement tools propagate credentials across OS boundaries to ensure comprehensive encryption
Encryption speed varies by platform: Windows domain controllers typically encrypt in 2–6 hours; Linux file servers in 4–8 hours; ESXi datastores in 6–12 hours depending on VM count. The attack is sequential across platforms, meaning complete infrastructure compromise requires 2–3 days minimum.
No decryption tool currently exists. Decryption requires the attacker’s private RSA-4096 key, only obtainable through negotiation, law enforcement cooperation, or future research breakthroughs by security analysts.
Stolen data is published on Van Helsing’s leak site within 48 hours. They’ve published partial files (spreadsheets, contracts, credentials) from all 47 early victims to prove access. Regulatory penalties, litigation, and customer notification costs typically exceed ransom amounts.
Maintain patch management across all OS platforms (prioritize ESXi CVEs); implement strong MFA for SSH and RDP; disable internet-facing management interfaces; segment critical infrastructure on isolated networks; monitor for multi-platform lateral movement (SSH key propagation, credential distribution); maintain air-gapped backups; conduct OS-specific security audits quarterly.
1) Isolate all platforms simultaneously (Windows domain, Linux cluster, ESXi environment); 2) Preserve logs from all OS types; 3) Reset credentials across platforms; 4) Check for SSH backdoors on Linux/BSD systems; 5) Audit ESXi snapshots and permission changes; 6) Scan Windows for persistence mechanisms; 7) Engage law enforcement; 8) Assess backup integrity on all platforms; 9) Test restoration on isolated network segments; 10) Plan phased recovery starting with least-critical systems.
Organizations running mixed infrastructure (common in enterprises) lack unified backup and recovery processes. Each platform has different backup vendors, retention policies, and recovery procedures. Van Helsing exploits this fragmentation, paralyzing organizations that lose Windows, Linux, and ESXi simultaneously. Multi-platform RaaS represents an evolution in attack complexity.
Entry fee of $5,000 USD in cryptocurrency; affiliates retain 70–80% of ransom proceeds; operators provide malware, leak site, payment processing, and technical support; strict operational discipline required (no targeting of healthcare unless negotiated). Affiliate program actively recruits via dark web forums, indicating rapid growth plans.