The security community has alerted us of a dangerous new malware threat known as the Vanguard Ransomware, read our removal guide to learn more.
Vanguard Ransomware Description
Security researchers have announced the discovery of the latest virus threat known as Vanguard ransomware. It is made by a hacker under the alias of Viktor. Like other popular viruses of this type it encrypts the user’s data, renames them with an appropriate extension and then extorts the victims for a payment.
The initial analysis done by the malware researchers shows that the virus is still in development – its current iteration (at the time of writing this guide) does not show all of the possible features and modules of the core virus. This makes it a dangerous ransomware as we don’t know what the developer is going to include in future updates.
Upon infection the virus first checks the infected host if there is any running sandbox environment or if it has infected a virtual machine. This check is made to guard the virus against honeypots or security analysis environments and tools. Unlike other viruses, the Vanguard ransomware does not register a lot of processes and changes the local network settings to forward the traffic via a malicious proxy server. The consequences of the first stage attacks can be very damaging to the victims as explained below:
- Stealth Protection – The virus aims to protect itself from discovery by most anti-virus solutions. If any are found the virus automatically deletes itself.
- Network Proxy – The virus changes the local network settings and forwards all traffic via a malicious proxy. This is done in order to spy on the users and attempt to extract any account credentials.
- Data Recovery Prevention – Vanguard ransomware deletes all Volume Shadow Copies of the infected machine. This makes data recovery impossible without the use of professional-grade solutions.
- System Information Harvest – The virus is able to extract detailed information about each infected machine.
- Windows Registry Modification – The virus modifies several registry entries and can watch specific keys for any modifications.
There are several files that are associated with the infection. When the first-stage attack is complete the virus files are copied to the %TEMP% location on the local machine. There are several files that are associated with the ransomware:
- vanguard.exe
- msword.exe
- del.bat
- Cab1.tmp
- Cab3.tmp
- Tar2.tmp
- Tar4.tmp
The ransomware is written in the GO programming language. And from the extracted data we can see that its engine interacts with several popular applications. What’s more interesting that there have been captured several different samples that feature slight modifications. As it seems the attack campaign is ongoing.
The encryption engine is started when the ransomware has been installed in the local machine. It targets a large list of file type extensions which include the following:
.123, .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .602, .7z, .7zip, .aac, .ab4, .ach, .acr, .act,
.adb, .adp, .ads, .aes, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .arc, .arw, .asc, .asf, .asm, .asp, .aspx,
.asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .bmp, .bpw,
.brd, .bz2, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .cls, .cmd,
.cmt, .com, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .dac, .dat,
.db, .db3, .dbf, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .dif, .dip, .dit,
.djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml,
.encrypted, .eps, .erbsql, .erf, .exe, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .fpx, .frm,
.fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hpp, .htm, .html, .hwp, .ibd, .ibz, .idx, .iif,
.iiq, .incpas, .indd, .inf, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm,
.laccdb, .lay, .lay6, .ldf, .lit, .log, .lua, .m2ts, .m3u, .m4a, .m4p, .m4u, .m4v, .mapimail, .max, .mbx, .md, .mdb,
.mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .ms11,
.msg, .myd, .myi, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl,
.nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .onenotec2, .orf, .ost, .otg, .oth, .otp,
.ots, .ott, .p12, .p7b, .p7c, .pab, .paq, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl,
.plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd,
.pspimage, .pst, .ptx, .pwm, .py, .qb, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qed, .r3d, .raf, .rar, .rat,
.raw, .rb, .rdb, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sd0, .sda,
.sdf, .sh, .sldm, .sldx, .slk, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6,
.st7, .st8, .stc, .std, .sti, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tbk,
.tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .torrent, .txt, .uop, .uot, .vb, .vbox, .vbs, .vdi, .vhd, .vhdx,
.vmdk, .vmsd, .vmx, .vmxf, .vob, .wab, .wad, .wallet, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wpd, .wps, .x11,
.x3f, .xis, .xla, .xlam, .xlc, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml,
.ycbcra, .yuv, .zip
This ransomware employs the ChaCha20 and Poly1305 stream cipher and authenticator combination. After the process is complete a ransomware note is crafted in a DECRYPT_INSTRUCTIONS.txt file which has the following contents:
NOT YOUR LANGUAGE? https://translate.google.com
Your personal files and documents have been encrypted with AES-256 and RSA-2048!
Decrypting your files is only possible with decrypt key stored on our server.
Price for key is %bitcoin% BTC (Bitcoin).
1. Send %bitcoin% BTC to %bitcoinaddress%
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
https://www.bitcoin.com/buy-bitcoin
2. Wait some time for transaction to process
3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES!
If you do not pay within %hoursvalid% hours key will become DESTROYED and your files LOST forever!
Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety.
Vanguard Ransomware Distribution
The first malware samples were captured in February 2017 and according to the reports it primarily targets English-speaking users and it is distributed globally.
Vanguard ransomware is associated with several malicious domains which masquerade as legitimate sources of software or famous vendors. Some of its samples pose as being executable files from the Microsoft Office productivity suite and include false copyright information. This makes several distribution case scenarios possible:
- Email Phishing Campaigns – Hackers can impersonate Microsoft Corporation or another famous company or government institution to try and spread the malware samples. In recent times the most dangerous phishing campaigns employ infected Microsoft Office documents that feature malicious macros. The files are constructed in such a way which requires the interaction with them to display the message.
- Fake Download Sites and P2P Networks – The hackers can create dangerous sites that pose as official sources (impersonating Microsoft or another company) for applications, games and updates. P2P networks like BitTorrent are also a popular source for viruses of this type. Computer users should carefully review all sites for any signs that might indicate a fake site – grammar and spelling mistakes, the use of strange domains and free email accounts, as well as any design inconsistencies.
- Exploit Kits – Automated attacks made by exploits kits are a rising trend among hackers. The criminals use various exploits to construct maliicous pages, send bulk email messages and test the predefined targets for any software vulnerabilities.
- Dangerous Scripts – Browser Hijackers and malicious scripts and ad networks can cause such an infection. The dangerous extensions modify the installed browser settings and redirect to various hacker-controlled sites. They change the default homepage, search engine and new tabs page and can also endanger the users privacy by harvesting their history, stored cookies and passwords.
Summary of the Vanguard Ransomware
| Name | Vanguard Ransomware |
| File Extensions | |
| Ransom | Varies |
| Easy Solution | You can skip all steps and remove Vanguard Ransomware ransomware with the help of an anti-malware tool. |
| Manual Solution | Vanguard Ransomware ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below. |
| Distribution | Spam Email Campaigns, malicious ads & etc. |
Vanguard Ransomware Ransomware Removal
STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.
- 1) Hit WIN Key + R
- 2) A Run window will appear. In it, write “msconfig” and then press Enter
3) A Configuration box shall appear. In it Choose the tab named “Boot”
4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
5) Apply -> OK
Or check our video guide – “How to start PC in Safe Mode with Networking”
STEP II: Show Hidden Files
- 1) Open My Computer/This PC
2) Windows 7
- – Click on “Organize” button
– Select “Folder and search options”
– Select the “View” tab
– Go under “Hidden files and folders” and mark “Show hidden files and folders” option
3) Windows 8/ 10
- – Open “View” tab
– Mark “Hidden items” option
4) Click “Apply” and then “OK” button
STEP III: Enter Windows Task Manager and Stop Malicious Processes
- 1) Hit the following key combination: CTRL+SHIFT+ESC
2) Get over to “Processes”
3) When you find suspicious process right click on it and select “Open File Location”
4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process”
5) Next you should go folder where the malicious file is located and delete it
STEP IV: Remove Completely Vanguard Ransomware Ransomware Using SpyHunter Anti-Malware Tool
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
STEP V: Repair Windows Registry
- 1) Again type simultaneously the Windows Button + R key combination
2) In the box, write “regedit”(without the inverted commas) and hit Enter
3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Further help for Windows Registry repair
STEP VI: Recover Encrypted Files
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
How To Restore Vanguard Files
- 1) Use present backups
- 2) Use professional data recovery software
- – Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
- 3) Using System Restore Point
- – Hit WIN Key
– Select “Open System Restore” and follow the steps
- 4) Restore your personal files using File History
- – Hit WIN Key
– Type “restore your files” in the search box
– Select “Restore your files with File History”
– Choose a folder or type the name of the file in the search bar
- – Hit the “Restore” button
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
