A significant development in the cybercriminal landscape occurred on May 20, 2025, when the VanHelsing ransomware-as-a-service (RaaS) operation publicly released its source code after an alleged former developer attempted to sell it on the RAMP cybercrime forum.
Security researchers have verified the leaked code’s authenticity, which includes components for the Windows encryptor and administrative tools. This incident joins a growing list of ransomware source code leaks that threaten to proliferate cyber attacks.
VanHelsing Ransomware Source Code Leaked
Early on May 20, a user with the alias ‘th30c0der’ appeared on the RAMP forum offering to sell VanHelsing’s source code for $10,000.
.png
)
The listing advertised comprehensive access to “TOR keys + web panel for admin + chat + file server + blog include database everything”.
The seller also detailed the ransomware’s multi-platform capabilities, claiming it could target Windows, Linux, NAS systems, and ESXi environments from versions 2.0 to 8.0.
In response, the official VanHelsing operators published portions of the source code themselves, alleging that th30c0der was “an old member of the development team who’s trying to scam people by selling the old codes”.
They simultaneously announced plans for “VanHelsing 2.0” with “new futures and the safest it can be by not recruiting any external developers for the support”.
Security researcher Emanuele De Lucia was among the first to report this development.
Technical Analysis of the Leaked Builder
The leaked archive contains genuine but disorganized code, with Visual Studio project files incorrectly placed in the “Release” folder typically reserved for compiled binaries.
The Windows encryptor builder connects to an affiliate panel at IP address 31.222.238[.]208 for build data, creating a technical hurdle for potential users.
This code segment demonstrates how the ransomware implements mutex functionality to prevent multiple instances from running simultaneously.
Another significant discovery in the code reveals Van Helsing’s ability to generate temporary paths for payload distribution. This shows how the malware sets up lateral movement capabilities using PsExec.
This leak follows a troubling pattern of ransomware source code exposures. Similar incidents with Babuk (June 2021), Conti (March 2022), and LockBit (September 2022) resulted in widespread adoption of their techniques by other threat actors.
The Babuk leak, in particular, became widely used for VMware ESXi attacks. VanHelsing, which emerged in March 2025, has already claimed at least eight victims according to Ransomware[.]live.
The ransomware uses Curve25519 and ChaCha20 encryption algorithms, making file recovery difficult without decryption keys. It’s also known for implementing double extortion tactics, threatening to leak exfiltrated data if ransoms aren’t paid.
Security experts are particularly concerned about an MBR locker feature revealed in the code, which would replace a system’s Master Boot Record with a custom bootloader displaying ransom demands. This technique prevents normal computer startup and can increase pressure on victims to pay.
As cybersecurity professionals analyze the leaked code, organizations are advised to implement stronger defenses against ransomware attacks that may leverage this newly available builder.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
