Home Malware Programs Ransomware Vanguard Ransomware

Vanguard Ransomware

Posted: March 7, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 76
First Seen: March 7, 2017
OS(es) Affected: Windows

The Vanguard Ransomware is a Trojan that can encrypt your files to block them, which it exploits for motivating you to pay a ransom for the decryption key. Unlocking your content via other means isn't always possible, and malware experts advise that you back up any files that you can't afford to lose during such attacks. Ideally, your anti-malware solutions should detect and remove the Vanguard Ransomware before it begins locking anything on your PC.

A Vanguard Trojan Using 'Old Guard' Style Attacks

Although threat actors using Trojan-based extortion often insist on high-visibility branding imagery, their choices often don't correspond to the attacks they leverage. In some cases, they may imitate old, notorious Trojans like the Jigsaw Ransomware. In others, such as the Vanguard Ransomware, they can misrepresent their standardized payloads as being new or innovative. This new Trojan's most unusual characteristic is its language choice of Go, although even that decision is one that it shares with the '.braincrypt File Extension' Ransomware and the YourRansom Ransomware.

The Vanguard Ransomware makes Registry changes to allow itself to launch after the install routine automatically. Then, it loads a hidden instance of the CMD program to issue various, corrupted commands, including one for deleting the Shadow Copy backups. Malware experts also spotted changes to proxy and Web-browsing settings that could assist the Vanguard Ransomware with contacting a C&C server for purposes like notifying the threat actor of the infection.

All of these features are secondary features for the Vanguard Ransomware's payload, which focuses on encoding your files with an encryption cipher. The Vanguard Ransomware scans for hundreds of different formats of data, such as DOC documents or ZIP archives, and encodes them to prevent them from opening. The Vanguard Ransomware follows this attack with a ransom message in a Notepad file using phrasing copy-pasted from unrelated Trojan campaigns directly. Victims are asked to pay Bitcoins for the decryption key or risk losing their content permanently.

Guarding What's Yours from Cut-and-Paste Trojans

Besides eschewing the more traditional coding languages, the Vanguard Ransomware offers little in the way of creativity in Trojan attacks. Using Go has not provided the Vanguard Ransomware with any advantages in stealth features, and a clear majority of anti-malware products have proven themselves capable of detecting various samples of this threat. Preventative security protocols are especially important for Trojans of this classification, which are often capable of inflicting file damage that the victim can't reverse.

While its campaign appears to be not fully developed, the Vanguard Ransomware's circulatory strategy already seems to be exploiting fake Microsoft Office content. E-mail attachments are one of the most prominent distribution methods con artists prefer for exposing victims to corrupted documents, whereas compromised websites are most likely to promote fake software updates and installers. Letting anti-malware products auto-detect browser-based threats and scan all downloads actively should eliminate the Vanguard Ransomware before it becomes a security hazard.

For the time being, theoretically, paying the Vanguard Ransomware's administrator is the only means of decrypting your files by gaining access to its key. However, as long as threat authors are using cryptocurrencies like Bitcoin for their transactions, victims run the risk of making payments that give back nothing for their PCs.

Loading...