VanHelsing Ransomware Attacking Windows Systems With New Evasion Technique & File Extension

​A new ransomware strain named VanHelsing has emerged, targeting Windows systems with sophisticated encryption techniques and advanced evasion tactics. First observed on March 16, 2025, VanHelsing primarily focuses on government, manufacturing, and pharmaceutical sectors in France and the United States. ​

Upon infection, VanHelsing encrypts files on the victim's system, appending the distinctive ".vanhelsing" extension to compromised files. It also changes the desktop wallpaper and drops a ransom note named "README.txt" to communicate with victims. The ransomware employs a double extortion strategy, not only encrypting files but also exfiltrating sensitive data such as personal details, financial reports, and other critical documents. This two-pronged approach increases pressure on victims to pay the demanded Bitcoin ransom. ​

The ransomware's technical sophistication is evident in its various persistence mechanisms and defense evasion techniques. It utilizes Windows Management Instrumentation, scheduled tasks, and command scripting for execution. For persistence, it employs registry run keys, Windows services, and bootkit capabilities. VanHelsing also utilizes numerous evasion tactics that make detection challenging for security solutions, including direct volume access, rootkit functionality, software packing, process injection, and indicator removal. ​

The ransomware operates a dedicated chat portal on the Tor network where victims can communicate with attackers. Its capabilities extend to credential theft, system discovery, and data collection from local systems and email repositories. Security experts recommend implementing robust backup solutions, enabling multifactor authentication, patching systems regularly, and employing zero-trust architecture to mitigate risks from this emerging threat. ​

VanHelsing Ransomware Attacking Windows Systems With New Evasion Technique & File Extension