A new ransomware strain named VanHelsing was first observed on March 16, 2025, targeting Windows systems. Its primary focus is on government, manufacturing, and pharmaceutical sectors in France and the United States. Once a system is infected, VanHelsing encrypts files and appends the “.vanhelsing” extension to compromised files. The ransomware also changes the desktop wallpaper and places a ransom note called “README.txt” to communicate with victims.
VanHelsing operates using a double extortion strategy.
In addition to encrypting files, it exfiltrates sensitive data, including personal details, financial reports, and other critical documents. This strategy increases the pressure on victims to pay the demanded Bitcoin ransom. The ransomware also employs advanced evasion techniques to avoid detection, including Windows Management Instrumentation, scheduled tasks, and command scripting for execution.
The malware uses several methods to maintain persistence, such as registry run keys, Windows services, and bootkit capabilities. It modifies system registry settings, manipulates file permissions, and executes indirect commands. These tactics ensure that VanHelsing can continue running even after system reboots or attempts to remove the malware.
The ransomware also features a branded desktop wallpaper, warning victims that their system has been compromised.
VanHelsing operates a dedicated chat portal on the Tor network for victims to communicate with attackers. It also extends its capabilities to credential theft, system discovery, and data collection from local systems and email repositories. Security experts recommend implementing backup solutions, multifactor authentication, regular patching, and zero-trust architecture to mitigate risks from this new ransomware strain.
