What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Van Helsing attack can make a huge difference and help you make a full recovery. Request 24/7 Van Helsing ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Van Helsing ransomware statistics & facts

Van Helsing Decryptor
Van Helsing IOCs
Van Helsing Attack Vectors
Case Outcomes
How to Remove Van Helsing Ransomware?
How to Recover from Van Helsing Ransomware?
Ransom Amounts
Van Helsing Decryptor

No public decryption tool exists. Early samples are under analysis by security researchers; potential key recovery mechanisms may emerge in coming months.

Van Helsing IOCs

File Extensions
.vanhelsing

Ransom Note Filenames
README.txt (all platforms), README_VAN_HELSING.txt

Van Helsing Process Hashes
Linux: /usr/bin/vhsystemd (masquerades as systemd), process hash monitoring required. Windows: vhservice.exe. ESXi: vh-vmk.so kernel module. BSD: vhd daemon.

Van Helsing Tools
– EDR Disabling: SELinux policy manipulation, AppArmor bypass, Defender disable via GPO
– Credential Dumping: /etc/shadow extraction, SAM registry hives, LSASS memory dumps, vSphere credential theft
– Reconnaissance: Shodan API, nmap scanning, vSphere API enumeration, ESXi version detection
– Exfiltration: Rclone multi-platform, SSH rsync tunneling, vSphere snapshot exfiltration
– Lateral Movement: SSH credential propagation, SMB relay attacks, vSphere API abuse
– Malware: Qbot variants, Sliver C2, custom SSH backdoors

Most Common Red Flag
Multi-platform command sequences: `ssh user@[server] ‘chmod +x /tmp/vh-install.sh && /tmp/vh-install.sh’` on Linux, followed by `powershell -Command “[Base64]”` on Windows simultaneously, and ESXi API calls: `curl -k https://[esxi]:443/api/esx/settings/clusters/[cluster-id]/image`

Van Helsing Attack Vectors

Attack vector

% of Van Helsing incidents

Notes

Unpatched ESXi/vSphere

45%

CVE-2023-20519, CVE-2021-22015 exploitation

SSH Brute Force

25%

Weak Linux credentials or exposed services

Supply Chain/IAB

20%

Purchased network access

RDP/SSH Exposed

10%

Internet-facing management interfaces

Powered By WP Table Builder
Case Outcomes

47 organizations breached in first month (March–April 2025); 12 confirmed victims published. Ransom demands: $150K–$3.2M. 35% of victims paid; 40% restored from backups; 25% still recovering. One critical infrastructure operator (unnamed) restored ESXi cluster in 96 hours using backup snapshots.

How to Remove Van Helsing Ransomware?

Van Helsing cannot be removed post-encryption without attacker’s decryption key. Removal focuses on eliminating persistence: disconnect all systems from network immediately; identify and terminate C2 communication channels; revoke all credentials across platforms; scan for backdoors (SSH keys, authorized_keys modifications, ESXi SSH keys, scheduled tasks); restore from verified clean backups on isolated networks.

How to Recover from Van Helsing Ransomware?

Recovery timeline depends on backup scope and platform diversity. Heterogeneous environments face challenges: Linux restoration may complete while ESXi snapshots are being recovered. Implement 3-2-1 backups with multi-platform support; test restoration procedures monthly; maintain offline backup copies; engage third-party recovery services for complex environments. Recovery typically requires 5–10 days for complete infrastructure restoration.

Ransom Amounts

Documented demands: $150,000–$3,200,000. Amounts correlate with victim organization size and data sensitivity. Negotiation discounts: 40–70%. Bitcoin payments tracked on blockchain linking to Van Helsing infrastructure addresses.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is Van Helsing Ransomware?

Van Helsing is a newly launched (March 2025) RaaS platform written in C++ that encrypts files across multiple operating systems simultaneously: Windows, Linux, BSD, and ESXi. The multi-platform capability is its primary distinguishing feature, allowing a single attack to compromise heterogeneous infrastructure. Files receive the .vanhelsing extension and are protected with AES-256-GCM encryption plus RSA-4096 key wrapping.

Where is Van Helsing Operated From?

Attribution remains unconfirmed, though operational language, affiliate recruitment channels, and timezone activity suggest Eastern European origin. The group demonstrates enterprise-scale management capabilities indicating a team of 5–15 developers and operators.

How Does Van Helsing Work Across Multiple Operating Systems?

Van Helsing includes platform-specific binaries compiled for Windows (.exe), Linux (ELF), BSD (ELF), and ESXi (kernel module .so). The attack requires reconnaissance to identify all systems in the environment, then deploys the appropriate binary to each platform. Lateral movement tools propagate credentials across OS boundaries to ensure comprehensive encryption

How Long Does Van Helsing Take to Encrypt a System?

Encryption speed varies by platform: Windows domain controllers typically encrypt in 2–6 hours; Linux file servers in 4–8 hours; ESXi datastores in 6–12 hours depending on VM count. The attack is sequential across platforms, meaning complete infrastructure compromise requires 2–3 days minimum.

Can Van Helsing Ransomware Be Decrypted?

No decryption tool currently exists. Decryption requires the attacker’s private RSA-4096 key, only obtainable through negotiation, law enforcement cooperation, or future research breakthroughs by security analysts.

What Happens If You Don't Pay Van Helsing's Ransom?

Stolen data is published on Van Helsing’s leak site within 48 hours. They’ve published partial files (spreadsheets, contracts, credentials) from all 47 early victims to prove access. Regulatory penalties, litigation, and customer notification costs typically exceed ransom amounts.

How Can I Prevent Van Helsing Infection?

Maintain patch management across all OS platforms (prioritize ESXi CVEs); implement strong MFA for SSH and RDP; disable internet-facing management interfaces; segment critical infrastructure on isolated networks; monitor for multi-platform lateral movement (SSH key propagation, credential distribution); maintain air-gapped backups; conduct OS-specific security audits quarterly.

What is the Multi-OS Incident Response Checklist?

1) Isolate all platforms simultaneously (Windows domain, Linux cluster, ESXi environment); 2) Preserve logs from all OS types; 3) Reset credentials across platforms; 4) Check for SSH backdoors on Linux/BSD systems; 5) Audit ESXi snapshots and permission changes; 6) Scan Windows for persistence mechanisms; 7) Engage law enforcement; 8) Assess backup integrity on all platforms; 9) Test restoration on isolated network segments; 10) Plan phased recovery starting with least-critical systems.

Why Focus on Multi-Platform Environments?

Organizations running mixed infrastructure (common in enterprises) lack unified backup and recovery processes. Each platform has different backup vendors, retention policies, and recovery procedures. Van Helsing exploits this fragmentation, paralyzing organizations that lose Windows, Linux, and ESXi simultaneously. Multi-platform RaaS represents an evolution in attack complexity.

What Are Van Helsing's Affiliate Requirements?

Entry fee of $5,000 USD in cryptocurrency; affiliates retain 70–80% of ransom proceeds; operators provide malware, leak site, payment processing, and technical support; strict operational discipline required (no targeting of healthcare unless negotiated). Affiliate program actively recruits via dark web forums, indicating rapid growth plans.