A security breach suspected to be Morgan ransomware has occurred.
We would like to provide the following information and warning regarding the situation.

Morgan ransomware

The ransomware is called Morgan and it appears to be changing all files to filename.extension.morgan.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• It is a .NET-based ransomware with duplication prevention and VM environment-related check functions. It currently attacks the library, encrypts it, then downloads images uploaded to imgur, a famous image storage, and applies them to the desktop.

  
  [Figure 3 Attack on the library of the currently logged-in profile]

  
  [Figure 4 Download the image uploaded to imgur]

  
  [Figure 5 Actual uploaded image]

  
  [Figure 6 Extensions that are the target of attack]

Infection results

A guide file is created in each folder location with the name <README.txt>, and each encrypted file is changed to <file name.extension.morgan>.

[Figure 7 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 8 Blocking Message]

Go watch Morgan blocking video