New Cybercriminal Attacks Windows with Advanced Encryption and Detection Evasion

A new ransomware virus, VanHelsing, has gone hunting for Windows systems in the US and France, using advanced encryption techniques and sophisticated mechanisms to evade detection. It not only blocks access to files, but also steals important information, forcing victims to pay in Bitcoin.

• VanHelsing was first detected on March 16, 2025. Its main targets were government agencies, manufacturing enterprises and pharmaceutical companies. The virus encrypts files by adding the “.vanhelsing” extension, replaces the desktop image with a warning and leaves a README.txt file with instructions from the attackers.
• In addition to traditional encryption, VanHelsing uses a dual blackmail strategy: it not only blocks files, but also steals personal data, financial statements and other critical information. If the ransom is not paid, this data may be made public. Advanced evasion techniques include low-level hard drive access, rootkits, process injection, and file permission manipulation. The virus also hides its activities by using Windows Management Instrumentation (WMI), task schedulers, and registry changes.

Victims can contact hackers via a special Tor chat, making it difficult to track the attackers. Such attacks are becoming increasingly common. Double ransom, which involves locking data and stealing it, has already been used by cybercriminal groups such as LockBit, Conti, and BlackCat. VanHelsing’s high level of technical sophistication makes it particularly dangerous for businesses and government agencies.

Experts recommend that companies immediately strengthen their data backup system, implement multi-factor authentication, regularly update software, and deploy a Zero-Trust architecture. It is also important to monitor traffic for unencrypted connections and carefully scan suspicious files.