VanHelsing is a ransomware-as-a-service (RaaS) operation that began in early March 2025, operating with a clear financial motivation through its affiliate program where participants pay a deposit and receive a significant share of ransom payments. The group rapidly established itself in the cybercriminal landscape, notably offering cross-platform ransomware variants and explicitly prohibiting attacks against targets in Commonwealth of Independent States (CIS) nations. A distinguishing characteristic of the VanHelsing ransomware is its documented flawed encryption logic, which can lead to irreversible data destruction even if victims comply with ransom demands. The group does not appear to operate under multiple names, but its ransomware employs different file extensions such as .vanlocker and .vanhelsing.