VanHelsing ransomware is a high-severity threat targeting Microsoft Windows systems by encrypting files and demanding ransom payments for decryption. This ransomware family uses multiple file extensions and maintains active data leak sites to pressure victims, significantly impacting affected organizations. #MicrosoftWindows #VanHelsing
Keypoints
- VanHelsing ransomware was first identified in March 2025, encrypting files and appending extensions like “.vanlocker” and “.vanhelsing”.
- The ransomware accepts various command-line arguments that enable spreading over SMB and SFTP, evading admin rights, and controlling logging and resource usage.
- It avoids encrypting critical system files, specific file extensions, and files located in system and application-related folders to maintain system stability.
- Victims are primarily located in the United States, Italy, France, and Australia, with the manufacturing industry and municipal government among those affected.
- The ransomware operates a TOR-based data leak site where stolen victim data is published to coerce ransom payments.
- Fortinet solutions detect and block VanHelsing ransomware using FortiGuard Antivirus signatures, offering protection through FortiGate, FortiMail, FortiClient, and FortiEDR.
- Best practices include maintaining updated AV and IPS signatures, employing security training like FortiPhish, implementing data backup strategies, and leveraging advanced network security architectures such as Zero Trust and SASE.
MITRE Techniques
- [T1486] Data Encrypted for Impact – VanHelsing encrypts victim files and appends extensions like “.vanlocker” and “.vanhelsing” to disrupt victim operations. (“…then encrypts files on the compromised machines and adds the file extension ‘.vanlocker’ to affected files.”)
- [T1071.004] Application Layer Protocol: SFTP – Utilizes the “-sftpPassword” argument to spread the ransomware over SFTP connections. (“… -sftpPassword for spreading over sftp”)
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Uses the “-smbPassword” argument to propagate via SMB. (“… -smbPassword for spreading over SMB”)
- [T1562.001] Impair Defenses: Disable or Modify Tools – Ability to stop logging via “-noLogs” argument to avoid detection. (“-noLogs to stop logging”)
- [T1204.002] User Execution: Malicious File – Execution involves running the ransomware binary with specific command lines, initiating encryption. (“When run, the VanHelsing ransomware…”)
Indicators of Compromise
- [File Hashes] VanHelsing ransomware samples – 86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17, 99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98
- [File Extensions] Encrypted files – .vanlocker, .vanhelsing (file extensions appended to encrypted files)
- [Mutex] Process synchronization – GlobalVanHelsing (used to prevent multiple instances)
- [File Name] Ransom note – README.txt (dropped on infected systems to instruct victims)