FOCUS MODE
EXTRACT IOC
Threat Research

VanHelsing Ransomware

Cyfirma
VanHelsing Ransomware
The CYFIRMA Research and Advisory Team has discovered the VanHelsing Ransomware, which targets Windows systems and uses advanced encryption methods, making it challenging to detect and remove. It employs double extortion tactics, threatening to leak sensitive data, and stresses the importance of proactive cybersecurity measures and incident response strategies. Affected: Windows systems, Government, Manufacturing, Pharma industries, France, USA

Keypoints :

  • VanHelsing Ransomware targets Windows operating systems.
  • It encrypts files and demands ransom for decryption, using Bitcoin as payment.
  • The ransomware adds a unique file extension “.vanhelsing” to encrypted files.
  • Victims are threatened with data leaks if they refuse to pay the ransom.
  • VanHelsing modifies the desktop wallpaper and drops a ransom note named “README.txt.”
  • Initial observation of the ransomware was on March 16, 2025.
  • Communication by the threat actor occurs via the Tor network.
  • Focus on robust cybersecurity measures is emphasized to minimize breach risks.

MITRE Techniques :

  • Execution (T1047) – Utilizing Windows Management Instrumentation.
  • Execution (T1053) – Implementing Scheduled Task/Job.
  • Execution (T1059) – Employing Command and Scripting Interpreter.
  • Execution (T1129) – Using Shared Modules.
  • Persistence (T1053) – Utilizing Scheduled Task/Job for persistence.
  • Persistence (T1542.003) – Implementing Pre-OS Boot: Bootkit for persistence.
  • Persistence (T1543.003) – Modifying System Process: Windows Service for persistence.
  • Persistence (T1547.001) – Leveraging Registry Run Keys / Startup Folder for autostart execution.
  • Persistence (T1574.002) – Hijacking Execution Flow with DLL Side-Loading.
  • Privilege Escalation (T1055) – Utilizing Process Injection for privilege escalation.
  • Credential Access (T1003) – Executing OS Credential Dumping for credential access.
  • Discovery (T1012) – Querying the Registry.
  • Command and Control (T1071) – Using Application Layer Protocol for command and control purposes.
  • Impact (T1486) – Encrypting data for impact.

Indicator of Compromise :

  • [SHA-256] 86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17


Full Story: https://www.cyfirma.com/research/vanhelsing-ransomware/

Tags: PROXY, PERSISTENCE, COLLECTION, WINDOWS, PRIVILEGE, TOOL, EMAIL, DISCOVERY