By Shunichi Imano and Fred Gutierrez | May 16, 2025
FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the VanHelsing ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows
Impact: Encrypts victims' files and demands a ransom for file decryption
Severity level: High
VanHelsing Ransomware Overview
The first sample of the VanHelsing ransomware was made available on a publicly available file-scanning site in mid-March 2025. Like other ransomware attacks, VanHelsing demands a ransom to decrypt files via dropped ransom notes.
Infection Vector
Information on the infection vector used by the VanHelsing ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.
Attack Method
When run, the VanHelsing ransomware (SHA2: 99959C5141F62D4FBB60EFDC05260B6E956651963D29C36845F435815062FD98) takes the following command line arguments:
- -h for help
- -v for verbose
- -sftpPassword for spreading over sftp
- -smbPassword for spreading over SMB
- -bypassAdmin for locking the target without admin
- -noLogs to stop logging
- -nopriority to stop CPU and IO priority
The VanHelsing ransomware then encrypts files on the compromised machines and adds the file extension “.vanlocker” to affected files.