[ Zsszyy ransomware ]

[Virus/Malware Activity Report: Zsszyy Ransomware]

We are aware of a security breach suspected to be in the form of Zsszyy ransomware.
We would like to provide the following information and warning regarding the situation.

Zsszyy ransomware

The ransomware is called Aoki and appears to be changing all files to filename.extension.{36-digit UUID].zsszyy.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• This malware is ransomware developed in C++. When the program is first executed, it copies itself to the system folder. It is in the form of C:ProgramData{GUID}{random string}.exe, and uses a 36-digit UUID format folder name and an 8-digit random file name to evade detection. Afterwards, the copied file is re-executed, and the original is terminated. It utilizes a mutex to prevent multiple executions of the program, thereby preventing system resource conflicts and duplicate encryption issues in advance. After the encryption task is completed, it registers itself in the Windows startup program registry (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) to ensure that it continues to run even after a system reboot. At this time, the /V- parameter is added to prevent duplicate encryption of already encrypted files.

  
  [Figure 3: Copied executable file and startup program registration registry]

Infection results

After encryption is complete, a guide file named README.txt is created in each folder location, and each encrypted file is changed to < file name. extension. {36-digit UUID].zsszyy >.

[Figure 4 Infection Results]

White Defender response

It also supports real-time automatic restoration of files that were encrypted before WhiteDefender ransomware malicious actions and blocking.

[Figure 5 Blocking Message]

Watch the Zsszyy blocking video