Due to an infringement believed to be in the form of ZeroGuard ransomware,
we would like to confirm the situation and provide a warning as follows.

ZeroGuard Ransomware

The ransomware in question is called ZeroGuard and appears to be changing all files with file name, extension, random 12-character key, and ZeroGuard.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Based on .NET, the internal static code is encrypted, making detailed analysis of its operation difficult. When ransomware operates, it treats itself as a hidden file and registers itself in the startup program registry to automatically start when the user profile (USER) logs on to Windows.

  
  [Figure 3 Dynamic information checking IP information using myexternalip’s API]

  
  [Figure 4 Shadow copy deletion dynamic information]

Infection results

The guidance file <Readme.txt> is created in each path, and when encryption is performed, <file name.extension. Change the files to ZeroGuard0@skiff.com.Random 12-digit key.ZeroGuard>.

[Figure 5 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 6 Block message]

Watch ZeroGuard blocking video