Ransomware isn’t new, but the way VanHelsing operates should worry anyone responsible for cybersecurity. First spotted in March 2025, this Ransomware-as-a-Service (RaaS) operation has already hit organizations across the U.S., France, Italy, and Australia and its evasion tactics make it a nightmare to detect.
Security researchers have now emulated its behavior, giving businesses a way to test their defenses before they’re hit. Here’s what makes VanHelsing dangerous and how you can stay protected.
How VanHelsing Works: Double Extortion & Cross-Platform Attacks
Unlike older ransomware strains, VanHelsing doesn’t just encrypt files it steals data and threatens to leak it unless victims pay up in Bitcoin. This double extortion model has become a favorite among cybercriminals because it pressures victims into paying, even if they have backups.
What’s more concerning? VanHelsing doesn’t stick to one system. It targets:
-
Windows (via a C++-based variant)
-
Linux & BSD systems
-
ARM-based devices (like servers and IoT hardware)
-
VMware ESXi environments (a favorite for enterprise networks)
Once inside, it appends encrypted files with “.vanhelsing” and leaves a ransom note. But before that, it does everything possible to avoid detection and sabotage recovery.
Evasion Tactics: How VanHelsing Hides in Plain Sight
VanHelsing isn’t just another ransomware strain it’s deliberately stealthy. Researchers found it uses several tricks to stay under the radar:
✔ Debugger Checks: It calls the IsDebuggerPresent Windows API to see if security tools are analyzing it. If detected, it may terminate itself to avoid reverse-engineering.
✔ System Discovery: Before encrypting files, it maps out the system using multiple API calls, identifying critical folders and avoiding unnecessary attention.
✔ Sabotaging Backups: Like many modern ransomware strains, it deletes Volume Shadow Copies (VSS), making it harder to restore files without paying.
These techniques make VanHelsing harder to catch before it’s too late which is why proactive defense testing is crucial.
Who’s at Risk? (And How to Test Your Defenses)
As of May 14, 2025, confirmed attacks have hit five organizations across multiple industries. But given its RaaS model (where cybercriminals can rent the malware), experts warn that broader attacks are likely.
The good news? AttackIQ, a cybersecurity firm, has released a full attack simulation of VanHelsing’s behavior. This lets businesses:
✅ Test detection capabilities before an actual attack
✅ Identify weak spots in their security setup
✅ Improve incident response for ransomware scenarios
If your organization hasn’t stress-tested defenses against advanced ransomware, now’s the time.
How to Protect Against VanHelsing (Before It Strikes)
Since VanHelsing relies on stealth, traditional antivirus tools might miss it. Here’s what security teams should prioritize:
Monitor for API Abuse: VanHelsing uses IsDebuggerPresent and VSS deletion commands tools like EDR (Endpoint Detection and Response) can flag these actions.
Restrict Unnecessary Permissions: Limiting admin rights and network access can slow down ransomware before it spreads.
Assume Data Will Be Stolen: With double extortion, backups alone aren’t enough. Encrypt sensitive files and prepare for potential leaks.
Test Defenses with Emulations: AttackIQ’s VanHelsing attack graph lets organizations simulate an attack use it to find gaps.
Final Thoughts: A Growing Threat (But Not Undefeatable)
VanHelsing is evolving fast, and its cross-platform reach makes it a serious concern. But with proper detection strategies, access controls, and proactive testing, businesses can reduce their risk.
The key takeaway? Don’t wait for an attack. Test your systems now because ransomware won’t give you a second chance.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.