VanHelsing Ransomware Overview—In mid-March 2025, the first sample of the VanHelsing ransomware was made available on a publicly accessible file-scanning site. Like other ransomware attacks, VanHelsing demands a ransom to decrypt files via dropped ransom notes.
Infection Vector - Information on the infection vector used by the VanHelsing ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.[1]
Attack Method - When run, the VanHelsing ransomware (SHA2: 99959C5141F62D4FBB60EFDC05260B6E956651963D29C36845F435815062FD98) takes the following command line arguments:
- -h for help
- -v for verbose
- -sftpPassword for spreading over sftp
- -smbPassword for spreading over SMB
- -bypassAdmin for locking the target without admin
- -noLogs to stop logging
- -No nopriority to stop CPU and IO priority
The VanHelsing ransomware then encrypts files on the compromised machines and adds the file extension “.vanlocker” to affected files.
|
Affected platforms: Microsoft Windows Impacted parties: Microsoft Windows Impact: Encrypts victims' files and demands a ransom for file decryption Severity level: High |
Figure 1: Files encrypted by a VanHelsing ransomware variant
Note that although this VanHelsing variant - (SHA2: 99959C5141F62D4FBB60EFDC05260B6E956651963D29C36845F435815062FD98)uses “.vanlocker” as its extension, it still belongs to the VanHelsing ransomware family because it uses the same ransom negotiation and data leak sites as another VanHelsing variant.
(SHA2: 86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17)
This other variant adds a “.vanhelsing” file extension to encrypt files.
Figure 2: Files encrypted by the VanHelsing ransomware
The VanHelsing ransomware exempts the following files:
|
boot.ini |
autofun.inf |
bootfont.bin |
bootsect.bak |
|
desktop.ini |
ntldr |
ntuser.dat |
ntuser.dat.log |
|
ntuser.ini |
thumb.db |
GDIPFONTCACHEV1.DAT |
iconcache.db |
|
d3d9caps.dat |
LOGS.txt |
README.txt |
|
It also avoids encrypting files with the following file extensions:
|
.vanlocker |
.exe |
.dll |
.lnk |
.sys |
.msi |
.bat |
|
.bin |
.com |
.cmd |
.386 |
.adv |
.ani |
.cab |
|
.ico |
.mod |
.msstyles |
.msu |
.nomedia |
.ps1 |
.rtp |
|
.syss |
.deskthemepack |
.cur |
.cpl |
.diagcab |
.diagcfg |
.diagpke |
|
.dll |
.drv |
.hlp |
.pdb |
.hta |
.key |
.lock |
|
.ldf |
.ocx |
.icl |
.icns |
.ics |
.idx |
.mod |
|
.mpa |
.msc |
.msp |
.nls |
.rom |
.scr |
.shs |
|
.spl |
.theme |
.thempa |
.wpx |
|
|
|
The VanHelsing ransomware avoids encrypting files in the following folders:
|
tmp |
wiint |
temp |
thumb |
|
$Recycle.Bin |
$RECYCLE.BIN |
System Volume Information |
boot |
|
Windows |
Trend Micro |
program files |
program files(x86) |
|
tor browser |
Windows |
intel |
all users |
|
msocache |
perflogs |
default |
microsoft |
It also creates the following mutex:
mutex: Global\\VanHelsing
It may also modify the registry key SoftwareClasses. vanlockerDefaultIcon to use a custom icon for VANLOCKER files. However, we did not observe this VanHelsing ransomware sample changing the file icon of the encrypted files in our testing.
It then drops the following ransom note in “README.txt”:
Figure 3: Ransom note dropped by the VanHelsing ransomware
The ransom note directs victims to chat sites operated by the attacker on TOR, where ransom negotiation takes place. The ransomware also replaces the desktop wallpaper with its own.
Figure 4: Desktop wallpaper replaced by the VanHelsing ransomware
Victimology and Data Leak Site - The VanHelsing ransomware operates a TOR site where the group posts the information it has stolen from its victims. At the time of our initial investigation in late March 2025, six victims were on the data leak site, and they had added one more victim when we checked back in mid-April.
Analysis of the VanHelsing ransomware victims listed on the data leak site found:
- The victims are spread out over four different countries.
- 50% of the victims are in the United States.
- The other victims are in Italy, France, and Australia.
- Manufacturing is the industry most affected by this, with two victims.
One of the six victims is a municipal government organization in the US, which suggests that the VanHelsing ransomware group may have no restrictions on who it targets.
Note that victims who have paid the ransom may have been removed from the data leak site. As such, additional companies may have been affected by the VanHelsing ransomware.
Figure 5: A list of the VanHelsing ransomware victims on its data leak site.
Figure 6: Negotiations between the VanHelsing group and one of the victims
Figure 7: Individual page of a victim organization
Best Practices Include Not Paying a Ransom - Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
IOCs
VanHelsing Ransomware File IOCs
|
SHA2 |
Note |
|
86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17 |
VanHelsing ransomware |
|
99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98 |
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing?lctg=141970831
Comments