Home Malware Programs Ransomware Russian Legion Ransomware

Russian Legion Ransomware

Posted: May 6, 2019

The Russian Legion Ransomware is a new version of the Hidden Tear file-locking Trojan. This variant of the threat continues blocking files with encryption and may be using a static key for unlocking, which would make free recovery options for your work attainable readily. In case of updates or other issues, you still should keep backups for the safety of your information and let anti-malware tools remove Russian Legion Ransomware on sight.

The Taste of a Poisonous Russian Apple

Possibly due to the ease of using someone else's secure encryption model than taking a risk on an unsecured or customized one, Hidden Tear is no longer in favor as the dominant force in the file-locker Trojan industry. However, despite the rise of Ransomware-as-a-Service, variants of this 'freeware' threat appear, sometimes, such as the Russian Legion Ransomware. Unlike most builds of HT, such as the RansomMine Ransomware, the Rastakhiz Ransomware, the CrY-TrOwX Ransomware, or the Unikey Ransomware, the Russian Legion Ransomware is aiming its extortionist attacks at Russian residents.

The Russian Legion Ransomware's installer pretends that it's a PDF document with the name of 'SAT_d,' although malware experts have yet to note whether it's circulating through torrents, malvertising or other means. Once it tricks the user into installing it, the Russian Legion Ransomware starts encrypting media files with an AES algorithm that 'locks' them. Most of the file-locking Trojans that malware analysts are familiar with will note these files with extensions, but this feature isn't showing itself in the Russian Legion Ransomware.

Although the encryption is a 'vanilla' feature of Hidden Tear, the Russian Legion Ransomware sets itself apart from similar Trojans through delivering TXT ransom notes with partial English and partial Russian text. The threat actor gives just one day for paying a Bitcoin and, supposedly, unlocking your files. The Russian Legion Ransomware's ransom negotiating address is, interestingly, an Apple-based one, which is uncommon.

Despite that last choice, the Russian Legion Ransomware has no exceptional cross-compatibility with macOS environments. It's a sub-one-megabyte Windows program, just like most of the other versions of Utku Sen's Hidden Tear.

Dismantling the Legion of Data Doom

While most threats describing themselves as being 'legion' hold ominous portents of military prowess or, at least, Biblical references, the Russian Legion Ransomware is a standard copycat of Hidden Tear. Its additions to the program are minor, and malware analysts suspect that it's using a static, hard-coded key for its cryptography. Such a choice is easiest for the threat actor but makes free decryption highly likely for the victims who are contacting the appropriate cyber-security researchers.

Because an update to the Russian Legion Ransomware has the chance of changing this fact, users shouldn't assume that decryption is always easily accessible. Keeping backups of their work on a removable device or a cloud storage server will eliminate most of the leverage that a file-locker Trojan possesses. Anti-malware products are deleting the Russian Legion Ransomware at acceptable accuracy and should disinfect Windows computers without problems.

The Russian Legion Ransomware will have significant competition from the Scarab Ransomware's family unless it branches out to outside of Russia. However, encryption attacks will work on anyone, anywhere – as long as their backups aren't ready.

Loading...