{
	"id": "c68a4ad2-32f1-4fb1-a63b-d08ee9b4dc2d",
	"created_at": "2026-04-06T00:19:00.078649Z",
	"updated_at": "2026-04-10T13:12:18.887362Z",
	"deleted_at": null,
	"sha1_hash": "fd2503804af56d0a8df0ec1aae1467c2a4a4f234",
	"title": "Ransomware Roundup – VanHelsing | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57233,
	"plain_text": "Ransomware Roundup – VanHelsing | FortiGuard Labs\r\nPublished: 2025-05-16 · Archived: 2026-04-05 14:03:15 UTC\r\nFortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our\r\ndatasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights\r\ninto the evolving ransomware landscape and the Fortinet solutions that protect against those variants.\r\nThis edition of the Ransomware Roundup covers the VanHelsing ransomware.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows\r\nImpact: Encrypts victims' files and demands a ransom for file decryption\r\nSeverity level: High\r\nVanHelsing Ransomware Overview\r\nThe first sample of the VanHelsing ransomware was made available on a publicly available file-scanning site in\r\nmid-March 2025. Like other ransomware attacks, VanHelsing demands a ransom to decrypt files via dropped\r\nransom notes.\r\nInfection Vector\r\nInformation on the infection vector used by the VanHelsing ransomware threat actor is unavailable. However, it is\r\nnot likely to differ significantly from other ransomware groups.\r\nAttack Method\r\nWhen run, the VanHelsing ransomware (SHA2:\r\n99959C5141F62D4FBB60EFDC05260B6E956651963D29C36845F435815062FD98) takes the following\r\ncommand line arguments:\r\n-h for help\r\n-v for verbose\r\n-sftpPassword for spreading over sftp\r\n-smbPassword for spreading over SMB\r\n-bypassAdmin for locking the target without admin\r\n-noLogs to stop logging\r\n-nopriority to stop CPU and IO priority\r\nThe VanHelsing ransomware then encrypts files on the compromised machines and adds the file extension\r\n“.vanlocker” to affected files.\r\nNote that although this VanHelsing variant\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing\r\nPage 1 of 5\n\n(SHA2: 99959C5141F62D4FBB60EFDC05260B6E956651963D29C36845F435815062FD98)\r\nuses “.vanlocker” as its extension, it still belongs to the VanHelsing ransomware family because it uses the same\r\nransom negotiation and data leak sites as another VanHelsing variant.\r\n(SHA2: 86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17)\r\nThis other variant adds a “.vanhelsing” file extension to the files it encrypts.\r\nThe VanHelsing ransomware exempts the following files:\r\nboot.ini autofun.inf bootfont.bin bootsect.bak\r\ndesktop.ini ntldr ntuser.dat ntuser.dat.log\r\nntuser.ini thumb.db GDIPFONTCACHEV1.DAT iconcache.db\r\nd3d9caps.dat LOGS.txt README.txt\r\nIt also avoids encrypting files with the following file extensions:\r\n.vanlocker .exe .dll .lnk .sys .msi .bat\r\n.bin .com .cmd .386 .adv .ani .cab\r\n.ico .mod .msstyles .msu .nomedia .ps1 .rtp\r\n.syss .deskthemepack .cur .cpl .diagcab .diagcfg .diagpke\r\n.dll .drv .hlp .pdb .hta .key .lock\r\n.ldf .ocx .icl .icns .ics .idx .mod\r\n.mpa .msc .msp .nls .rom .scr .shs\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing\r\nPage 2 of 5\n\n.spl .theme .thempa .wpx\r\nThe VanHelsing ransomware avoids encrypting files in the following folders:\r\ntmp wiint temp thumb\r\n$Recycle.Bin $RECYCLE.BIN System Volume Information boot\r\nWindows Trend Micro program files program files(x86)\r\ntor browser Windows intel all users\r\nmsocache perflogs default microsoft\r\nIt also creates the following mutex:\r\nmutex: Global\\\\VanHelsing\r\nIt may also modify the registry key Software\\Classes\\.vanlocker\\DefaultIcon to use a custom icon for\r\n.VANLOCKER files. However, we did not observe this VanHelsing ransomware sample change the file icon of\r\nthe encrypted files in our testing.\r\nIt then drops the following ransom note in “README.txt”:\r\nThe ransom note directs victims to chat sites operated by the attacker on TOR, where ransom negotiation takes\r\nplace.\r\nThe ransomware also replaces the desktop wallpaper with its own.\r\nVictimology and Data Leak Site\r\nThe VanHelsing ransomware operates a TOR site where the group posts the information it has stolen from its\r\nvictims. At the time of our initial investigation in late March 2025, six victims were on the data leak site, and they\r\nhad added one more victim when we checked back in mid-April.\r\nOur analysis of the VanHelsing ransomware victims listed on the data leak site found:\r\nThe victims are spread out over four different countries.\r\n50% of the victims are in the United States.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing\r\nPage 3 of 5\n\nThe other victims are in Italy, France, and Australia.\r\nManufacturing is the industry most affected by this, with two victims.\r\nOne of the six victims is a municipal government organization in the U.S., which suggests that the\r\nVanHelsing ransomware group may have no restrictions on who it targets.\r\nNote that victims who have paid the ransom may have been removed from the data leak site. As such, additional\r\ncompanies may have been affected by the VanHelsing ransomware.\r\nFortinet Protections\r\nThe VanHelsing ransomware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nW32/Filecoder_VanHelsing.A!tr.ransom\r\nW32/PossibleThreat\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nFortiGuard Labs Guidance\r\nDue to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the\r\nunwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS\r\nsignatures up to date.\r\nSince the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet\r\nsolutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nOur FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end\r\nusers learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.\r\nOrganizations will need to make foundational changes to the frequency, location, and security of their data\r\nbackups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with\r\ndigital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks\r\ncan come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices;\r\nadvanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware\r\nmid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and\r\nresources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a\r\nsuccessful ransomware attack.\r\nAs part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across\r\nyour security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing\r\nPage 4 of 5\n\nservice offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.\r\nFortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled\r\nthreat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat\r\nactors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly\r\nrespond to and shut down active threats.\r\nBest Practices Include Not Paying a Ransom\r\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because the payment does not guarantee that files will be recovered. According to a US Department of\r\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a\r\ncyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nAdditionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what\r\nadversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and\r\nsignificantly reduce the risk, time, and cost of later-stage threat mitigation.\r\nIOCs\r\nVanHelsing Ransomware File IOCs\r\nSHA2 Note\r\n86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17\r\nVanHelsing ransomware\r\n99959c5141f62d4fbb60efdc05260b6e956651963d29c36845f435815062fd98\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing"
	],
	"report_names": [
		"ransomware-roundup-vanhelsing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd2503804af56d0a8df0ec1aae1467c2a4a4f234.pdf",
		"text": "https://archive.orkl.eu/fd2503804af56d0a8df0ec1aae1467c2a4a4f234.txt",
		"img": "https://archive.orkl.eu/fd2503804af56d0a8df0ec1aae1467c2a4a4f234.jpg"
	}
}