Spotting ransomware early is all about knowing what to look for. But with new strains constantly shifting tactics, even sharp-eyed analysts can miss the warning signs.
So, here’s the question: Which threats should you actually be paying attention to right now?
Let’s have a look at the threats that deserve your attention right now. These ransomware families have been causing trouble lately. We’ll break down how they operate, what to watch for, and how you can catch them early before they get a chance to do real damage to your business.
1. BERT Ransomware: Simple Code, Serious Damage
BERT might not have the most sophisticated payload, but don’t let that fool you; it’s fast, aggressive, and actively targeting organizations across Asia, Europe, and the U.S. What makes it dangerous isn’t complexity, but how quickly it escalates once it’s inside.
We’re talking about a strain that disables defenses, elevates privileges, and starts encrypting files almost immediately. On Linux systems, it can even shut down ESXi virtual machines and use up to 50 threads to speed up encryption.
Real-World Look Inside a Live Attack
Here’s a clear example of BERT in action, captured inside an ANY.RUN’s interactive sandbox session:
View analysis session with BERT
BERT ransomware sample analyzed inside ANY.RUN’s interactive sandbox
In the process tree (right side of the screen), we can see the full execution chain, from how the executable launches from the desktop to the moment it starts. For instance:
- Writing to Office application startup folders
- Creating persistence via registry run keys
- Modifying Chrome extension folders
- Dropping files in system directories
- Displaying the typical ransom behavior tied to .bert extensions
Don’t plan your next move without this: the Q2 2025 threat report with the trends shaping cyber defense today. Read now
All of this unfolds within a contained, observable environment without the risk to production systems, and any guesswork.
All the malicious tactics and techniques related to the process displayed clearly inside the sandbox
For analysts, this kind of visibility changes the game. You don’t need to rely on static signatures or incomplete telemetry; you get the full picture, including every executed TTP, mapped against MITRE ATT&CK, with file, network, and process data laid out in real time.
BERT ransomware found automatically inside ANY.RUN sandbox
This helps organizations avoid downtime, minimizing incident response cycles, and having clear, documented evidence when it’s time to update detection rules, brief stakeholders, or coordinate a broader defense strategy.
2. Interlock: When Fake Updaters Open the Door
Interlock might look like just another fake updater, but underneath the surface, it’s a coordinated double-extortion threat that’s been quietly hitting healthcare providers across the U.S. often going undetected for weeks.
The malware disguises itself as trusted software installers (like Chrome or MSTeams), uses encrypted URLs to contact C2 servers, and deploys a RAT to exfiltrate data. For overwhelmed SOC teams, that’s a dangerous combination: trusted names, slow detection, real damage.
Breaking Down the Attack in a Sandbox
In the following sandbox session, we can see exactly how the Interlock group tricked users, starting with a malicious website disguised as a legitimate Apple product store. At first glance, everything looks normal. But as soon as the user clicks the ChromeSetup.exe link hosted on apple-online.shop, the real activity begins.
View analysis session with Interlock
The malicious website used by Interlock displayed in ANY.RUN’s sandbox
The fake Chrome installer silently drops a file, sets up persistence, and begins reaching out to the attacker’s infrastructure. Here are just a few processes we see inside this ANY.RUN session:
- ChromeSetup.exe launches from the fake Apple website, initiating the attack
- Updater.exe follows shortly after, acting as the payload dropper
- Multiple instances of msedge.exe appear, including renderer and GPU processes used to disguise malicious activity
- Finally, the dropped file establishes connections to known malicious domains over encrypted channels
Chrome installer unpacking malicious payload
Each of these steps is captured and mapped in the sandbox, with all associated IOCs (URLs, domains, file hashes) automatically logged. For analysts, this level of visibility means faster investigation and an easier handoff to response teams or detection engineers.
Relevant IOCs collected in one tab for convenience and faster investigations
3. VanHelsing: Multi-Platform Ransomware
VanHelsing is a fast-moving RaaS operation that first appeared in early 2025, offering its payload to affiliates with a clear rule: avoid CIS countries; everyone else is fair game. It’s already made headlines for targeting U.S. municipalities and European enterprises, leveraging double extortion tactics and hitting critical systems with minimal warning.
What sets VanHelsing apart is its broad platform support, Windows, Linux, BSD, ARM, and even ESXi, and a toolkit focused on anti-analysis, stealth execution, and rapid encryption using ChaCha20 with Curve25519 key exchange. Its use of WMI, time-based sandbox evasion, and rootkit-level access gives analysts little surface area, unless you’re watching it in action.
Tracing VanHelsing in a Sandbox Session
Inside the sandbox, VanHelsing wastes no time. It begins by scanning all available drives, including network shares, while carefully avoiding system-critical files to keep the machine operational.
View analysis session with VanHelsing
Background image change by VanHelsing displayed inside ANY.RUN sandbox
Once the ransomware is fully deployed, the encryption process kicks in. VanHelsing uses ChaCha20 to encrypt files and appends the .vanhelsing extension to each one, as seen in the file modification logs.
File modifications clearly displayed inside ANY.RUN sandbox
At the same time, it drops ransom notes titled README.txt across affected directories. The note includes a message threatening data leaks, a list of .onion sites for communication, and a ticket ID required to initiate payment negotiations.
Ransom note exposed inside interactive sandbox
VanHelsing was built to slow down defenders. Anti-VM checks, delayed execution, fast flux networking, and root-level behavior all serve one goal: staying ahead of detection. But inside an interactive sandbox, that control breaks down.
Analysts get full transparency into the kill chain, enriched IOCs, and structured data that can be immediately shared or applied to EDR rules, SIEM queries, or TI enrichment. It saves hours during incident response and reduces the risk of overlooking a fast-moving, high-impact ransomware like VanHelsing.
Strengthen Your Defenses with Full Visibility
Ransomware families like BERT, Interlock, and VanHelsing show just how fast threats are evolving, and how easy it is to miss them without the right tools.
For analysts, an interactive sandbox like ANY.RUN gives the context to detect threats earlier, the confidence to respond faster, and the evidence to back up your decisions. But the value doesn’t stop there.
ANY.RUN helps reduce incident response time, uncover hidden IOCs, and cut costs tied to breaches, downtime, and cleanup. It also supports reporting, detection rule updates, and team collaboration across security operations.
Try ANY.RUN for 14 days and see how quickly threats reveal themselves when you can observe the full execution in real time.
Join our LinkedIn group Information Security Community!
