DIGITAL LIFE

VanHelsing ransomware is on the loose

A report from Fortinet, through its research division FortiGuard Labs, has identified a new emerging ransomware variant, called “VanHelsing”. The first samples of this threat were submitted for analysis in mid-March 2025.

VanHelsing ransomware operates by encrypting victims’ files, then demanding a ransom for their decryption. In addition, the group responsible for the threat publishes stolen information on a website on the TOR network, as a way of pressuring victims.

According to Fortinet’s “Ransomware Roundup” report, VanHelsing ransomware’s method includes using ransom notes to communicate with victims. Initial investigation, in late March 2025, confirmed the existence of six victims on the group’s data breach website. A new check in mid-April revealed the addition of one more victim.

Fortinet notes that the actual number of affected entities may be higher, as victims who pay the ransom may be removed from the public website, making it difficult to accurately measure its spread.

Victim profile and geographic reach...Analysis of publicly exposed victims indicates that the VanHelsing ransomware has an international reach. Confirmed victims are spread across four countries, with half of them located in the United States. The remainder are located in Italy, France and Australia.

The most affected industrial sector to date is manufacturing, with two victims reported. The report also highlights that one of the targets was a municipal government organization in the United States, a fact that suggests that the group may have no restrictions on the sectors it targets.

In summary, the Fortinet report points to the emergence of a new VanHelsing ransomware threat with transnational activity. The profile of VanHelsing's targets, which includes both the private sector and government entities, demonstrates the indiscriminate nature of the threat.

https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing

mundophone