A major cybersecurity incident unfolded on May 20, 2025, as the developers behind the VanHelsing ransomware-as-a-service (RaaS) operation leaked their own source code online. This came after a former developer allegedly tried to sell the code on the RAMP cybercrime forum.
Security researchers have confirmed that the leaked files are authentic. The files include tools used to encrypt Windows systems, as well as administrative features. This event adds to a growing trend of ransomware source code leaks that could lead to more cyberattacks worldwide.
Attempted Sale on Cybercrime Forum
Early on May 20, a user named “th30c0der” appeared on the RAMP forum offering to sell VanHelsing’s full source code for $10,000.
The post claimed the package included TOR encryption keys, an admin panel, chat functions, a file server, and a blog system with databases. It also advertised support for multiple platforms including Windows, Linux, NAS, and ESXi systems, covering versions from 2.0 to 8.0.
Shortly after, the official VanHelsing team responded by leaking parts of the code themselves. They accused “th30c0der” of being a former developer trying to scam buyers with outdated files.
They also revealed plans for “VanHelsing 2.0,” promising new features and a more secure setup without outside developers.
Security researcher Emanuele De Lucia was one of the first experts to report the leak.
What the Leaked Code Contains
Experts analyzing the leaked files found that the source code is real but poorly organized. Visual Studio project files were placed in the wrong folders, which could confuse anyone trying to use them.
The Windows encryptor builder connects to an affiliate control panel at IP address 31.222.238[.]208 to gather configuration data, creating a barrier for users who don’t control that server.
The code also includes mutex functionality, which stops the ransomware from running multiple times on the same system. It can also create temporary paths for payloads, showing how it moves laterally through networks using tools like PsExec.
Growing Trend of Ransomware Leaks
This leak follows earlier incidents involving ransomware groups like Babuk (June 2021), Conti (March 2022), and LockBit (September 2022). After their source codes were leaked, many other cybercriminals began using their techniques.
The Babuk code, for example, was widely used to attack VMware ESXi systems. VanHelsing, which appeared in March 2025, has already claimed at least eight victims according to Ransomware[.]live.
The malware uses advanced encryption methods—Curve25519 and ChaCha20—that make data recovery without the right keys nearly impossible. VanHelsing is also known for using double extortion tactics, threatening to leak stolen data if victims don’t pay the ransom.
Dangerous New Features
One of the most worrying discoveries is an MBR (Master Boot Record) locker feature. This tool replaces a system’s startup program with a custom screen that shows a ransom note. This prevents the computer from starting normally and increases pressure on victims to pay quickly.
As cybersecurity experts continue to examine the leaked builder, companies are being urged to improve their ransomware defenses. With this code now in the wild, the risk of copycat attacks is expected to rise.
