[ Lena ransomware ]

[Virus/Malware Activity Reported: Lena Ransomware]

We are aware of a security breach suspected to be Lena ransomware and
would like to provide the following information and warning regarding the situation.

Lena ransomware

The ransomware is called Lena and appears to be changing all files to the file name .lena.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• Lena ransomware is a variant of Chaos ransomware developed in C#.NET. Upon infection, it deletes shadow copies and backup catalogs to disable system recovery, and disables Windows Restore and error notifications. While it primarily targets the Windows root drive, it also creates the surprise.ex file on other drives, allowing additional infections to occur when using removable disks. Furthermore, it copies an executable file to the %AppData%Roaming path and creates a shortcut link in the Windows Startup folder to ensure persistent execution even after rebooting.

  
  [Figure 3: Static code for creating a shortcut link in the Startup Programs folder]

  
  [Figure 4: Startup program shortcut file created on the attacked PC]

  
  [Figure 5: Static code for executing cmd command]

Infection results

After encryption is complete, a guide file is created in each folder location with the name lena, and each encrypted file is changed to < file name. extension. lena >.

[Figure 6 Infection Results]

White Defender response

It also supports real-time automatic restoration of files that were encrypted before WhiteDefender ransomware malicious actions and blocking.

[Figure 7 Blocking Message]

Watch Lena's blocked video