[BlackLegion ransomware]

[Virus/Malware Activity Report: BlackLegion Ransomware]

An infringement incident presumed to be in the form of BlackLegion ransomware has occurred, and we
would like to confirm the situation and provide a warning as follows.

BlackLegion ransomware

The ransomware is called BlackLegion and appears to be changing all files including file name, extension, and BlackLegion.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• This C#-based ransomware hides the appearance of the executable file by changing its properties to hidden properties. Afterwards, copy “WmiPrvSe.exe” to the %Temp% location and add it to the registry of startup programs so that it automatically re-runs when Windows boots. Shadow copies are deleted to make recovery of files difficult after an encryption operation.

  
  [Figure 3 Ransomware executable file registered in startup program registry and ransomware copied to corresponding location]

  
  [Figure 4 Static code that creates and executes a command bat file in a temporary folder when encryption is completed]

  
  [Figure 5 bat file created in temporary folder and its contents]

Infection results

The guidance file is created in each folder, and the encrypted files are changed to .

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 7 Block message]

Watch the BlackLegion blocking video