The CYFIRMA research and advisory team uncovered the VanHelsing ransomware while monitoring various underground forums as part of their threat discovery efforts. The ransomware strain encrypts files and demands a ransom for their decryption. It also uses double extortion tactics, threatening to leak stolen data to coerce victims into paying. Targeting the prevalent Windows operating system, VanHelsing presents a major threat to industries and organizations. It has been observed attacking sectors such as government, manufacturing, and pharmaceuticals across the U.S. and France.
“Once executed, VanHelsing appends the ‘[dot]vanhelsing’ extension to encrypted files, modifies the desktop wallpaper, and drops a ransom note named ‘README[dot]txt’ on the victim’s system,” the team disclosed on Thursday in its Weekly Intelligence Report.
CYFIRMA noted that debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
“The ransomware is making calls to the Windows Management Instrumentation (WMI) framework,” it added. “WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.”
Additionally, the VanHelsing ransomware places itself in such a way to manipulate the execution behavior of the image. “This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.”
Based on available data, CYFIRMA’s assessment suggests that VanHelsing ransomware, which has already impacted the U.S. and France, is emerging as a global threat. “Its evolving tactics suggest expansion beyond government and manufacturing to critical industries like finance healthcare and others. The double extortion approach heightens its risk, making essential sectors worldwide more vulnerable. Strengthening cybersecurity defenses is crucial to mitigating potential attacks,” it added.
To protect organizations, CYFIRMA suggested implementing competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in the cloud and local environments. They must also ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.
Additionally, a data breach prevention plan must be developed considering, the type of data being managed by the company; the remediation process; where and how the data is stored; and if there is an obligation to notify the local authority. They must also enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials and foster a culture of cybersecurity, encouraging and investing in employee training so that security becomes an integral part of the organization.
CYFIRMA also called upon organizations to update applications/software regularly with the latest versions and security patches alike to protect from the VanHelsing ransomware. They must also add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities. Also, they must build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defense based on the tactical intelligence provided.
Last month, industrial cybersecurity firm Dragos noted a 60 percent rise in ransomware groups affecting OT/ICS (operational technology/industrial control systems) in 2024. Notably, 69 percent of all ransomware attacks targeted 1,171 manufacturing entities across 26 distinct manufacturing subsectors, highlighting manufacturing as the primary target for ransomware, accounting for over 50 percent of attacks, totaling 1,171 incidents.
