Russian Legion Ransomware

Posted: May 6, 2019

Russian Legion Ransomware Description

The Russian Legion Ransomware is a new version of the Hidden Tear file-locking Trojan. This variant of the threat continues blocking files with encryption and may be using a static key for unlocking, which would make free recovery options for your work attainable readily. In case of updates or other issues, you still should keep backups for the safety of your information and let anti-malware tools remove Russian Legion Ransomware on sight.

The Taste of a Poisonous Russian Apple

Possibly due to the ease of using someone else's secure encryption model than taking a risk on an unsecured or customized one, Hidden Tear is no longer in favor as the dominant force in the file-locker Trojan industry. However, despite the rise of Ransomware-as-a-Service, variants of this 'freeware' threat appear, sometimes, such as the Russian Legion Ransomware. Unlike most builds of HT, such as the RansomMine Ransomware, the Rastakhiz Ransomware, the CrY-TrOwX Ransomware, or the Unikey Ransomware, the Russian Legion Ransomware is aiming its extortionist attacks at Russian residents.

The Russian Legion Ransomware's installer pretends that it's a PDF document with the name of 'SAT_d,' although malware experts have yet to note whether it's circulating through torrents, malvertising or other means. Once it tricks the user into installing it, the Russian Legion Ransomware starts encrypting media files with an AES algorithm that 'locks' them. Most of the file-locking Trojans that malware analysts are familiar with will note these files with extensions, but this feature isn't showing itself in the Russian Legion Ransomware.

Although the encryption is a 'vanilla' feature of Hidden Tear, the Russian Legion Ransomware sets itself apart from similar Trojans through delivering TXT ransom notes with partial English and partial Russian text. The threat actor gives just one day for paying a Bitcoin and, supposedly, unlocking your files. The Russian Legion Ransomware's ransom negotiating address is, interestingly, an Apple-based one, which is uncommon.

Despite that last choice, the Russian Legion Ransomware has no exceptional cross-compatibility with macOS environments. It's a sub-one-megabyte Windows program, just like most of the other versions of Utku Sen's Hidden Tear.

Dismantling the Legion of Data Doom

While most threats describing themselves as being 'legion' hold ominous portents of military prowess or, at least, Biblical references, the Russian Legion Ransomware is a standard copycat of Hidden Tear. Its additions to the program are minor, and malware analysts suspect that it's using a static, hard-coded key for its cryptography. Such a choice is easiest for the threat actor but makes free decryption highly likely for the victims who are contacting the appropriate cyber-security researchers.

Because an update to the Russian Legion Ransomware has the chance of changing this fact, users shouldn't assume that decryption is always easily accessible. Keeping backups of their work on a removable device or a cloud storage server will eliminate most of the leverage that a file-locker Trojan possesses. Anti-malware products are deleting the Russian Legion Ransomware at acceptable accuracy and should disinfect Windows computers without problems.

The Russian Legion Ransomware will have significant competition from the Scarab Ransomware's family unless it branches out to outside of Russia. However, encryption attacks will work on anyone, anywhere – as long as their backups aren't ready.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Russian Legion Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware Russian Legion Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.