A new ransomware strain named VanHelsing has emerged, targeting Windows systems with sophisticated encryption techniques and advanced evasion tactics.
The malware, first observed on March 16, 2025, primarily focuses on government, manufacturing, and pharmaceutical sectors in France and the United States.
Upon infection, VanHelsing encrypts files on the victim’s system, appending the distinctive “.vanhelsing” extension to compromised files.
.png
)
The ransomware also changes the desktop wallpaper and drops a ransom note named “README.txt” to communicate with victims.
Cyfirma researchers discovered that VanHelsing employs a double extortion strategy, not only encrypting files but also exfiltrating sensitive data such as personal details, financial reports, and other critical documents.
This two-pronged approach increases pressure on victims to pay the demanded Bitcoin ransom.
The ransomware’s technical sophistication is evident in its various persistence mechanisms and defense evasion techniques.
It utilizes Windows Management Instrumentation, scheduled tasks, and command scripting for execution.
For persistence, it employs registry run keys, Windows services, and bootkit capabilities.
.webp)
The ransomware modifies the victim’s desktop wallpaper with a branded message indicating the system has been compromised.
Technical Evasion Methods
VanHelsing utilizes numerous evasion tactics that make detection challenging for security solutions.
These include direct volume access, rootkit functionality, software packing, process injection, and indicator removal.
The malware can modify registry settings, execute indirect commands, and manipulate file permissions to maintain persistence.
.webp)
VanHelsing operates a dedicated chat portal on the Tor network where victims can communicate with attackers.
The ransomware’s capabilities extend to credential theft, system discovery, and data collection from local systems and email repositories.
Security experts recommend implementing robust backup solutions, enabling multifactor authentication, patching systems regularly, and employing zero-trust architecture to mitigate risks from this emerging threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
