LegionLocker Ransomware: Russian-Origin Screen Locker

LegionLocker is a dual-purpose ransomware and screen locker that deploys multiple persistence mechanisms while encrypting files and locking access to the system. This malware communicates through Telegram, requiring victims to contact the operators via the @xexeza handle to negotiate ransom payments. First identified in early 2025, LegionLocker appears to originate from Russia and employs both file encryption and screen locking techniques to maximize pressure on victims. This analysis examines its technical characteristics, persistence methods, and provides protection strategies to defend against this emerging threat.

Introduction to LegionLocker Ransomware

LegionLocker emerged in early 2025 as a combined screen locker and file encryptor targeting primarily Windows systems. What distinguishes this ransomware is its hybrid approach – not only encrypting files but also locking users out of their systems by forcibly terminating Explorer.exe and displaying a Russian-language ransom interface with a blue background.

The malware claims to be operated by the “Legion hacker group” – a previously unknown threat actor that appears to be of Russian origin based on language analysis and infrastructure connections. The operators provide only a Telegram contact handle (@xexeza) for communication, avoiding the more complex payment portal systems used by larger ransomware operations.

LegionLocker applies aggressive persistence techniques, including multiple startup registry keys, Winlogon shell modifications, and hidden files, making it particularly difficult to remove once a system is infected. The combination of screen locking and file encryption creates a sense of urgency and makes recovery without paying the ransom especially challenging for victims without proper backups.

Technical Features of LegionLocker

LegionLocker employs several technical features that enhance its effectiveness and complicate removal:

• Hybrid Operation: Functions both as a screen locker (by killing Explorer.exe and displaying a full-screen ransom message) and as a file encryptor.
• Multiple Persistence Mechanisms: Establishes at least 13 different registry autorun entries to survive system restarts.
• Winlogon Hijacking: Modifies the Windows logon process to execute the malware during system startup.
• File Attribute Manipulation: Uses the attrib.exe utility to set hidden, system, and read-only attributes on multiple files.
• Process Termination: Forcibly terminates Explorer.exe to prevent normal system usage.
• Ransom Note Distribution: Creates an info-Locker.txt file in multiple directories including Desktop, Documents, Downloads, and the user profile root.
• Self-Protection: Uses file attributes to protect its components from modification or deletion.
• Hidden Files and Directories: Employs NTFS file attribute manipulation to conceal malicious components.

The combination of these features indicates a ransomware operation designed for maximum impact and persistence, making it difficult for victims to regain control of their systems without restoring from backups or formatting their systems.

Distribution Methods

Based on analysis of similar ransomware operations and the identified samples, LegionLocker likely spreads through:

1. Phishing emails: Malicious email attachments or embedded links that download the lc.exe payload.
2. Compromised credentials: Use of stolen remote access credentials to manually deploy the ransomware.
3. Malicious software bundles: Pirated software, fake updates, or trojanized applications that include the ransomware as a payload.
4. RDP exploitation: Targeting of poorly secured Remote Desktop Protocol connections to gain initial access and deploy the malware.

The relatively small size of the executable (193KB) suggests it may be designed to be easily distributed through multiple vectors rather than containing complex functionality within a large package. This could indicate the operators are targeting a higher volume of smaller victims rather than conducting highly targeted attacks against specific large organizations.

The malware has been observed deployed as “lc.exe” but likely uses other generic names to avoid detection, potentially impersonating legitimate Windows system files or common utilities to remain inconspicuous until execution.

Persistence Mechanisms

LegionLocker employs an unusually comprehensive set of persistence mechanisms to ensure it continues running after system restarts:

Registry Run Keys

The ransomware creates multiple Run and RunOnce registry keys, including:

Winlogon Shell Modification

The malware modifies the Winlogon shell key to execute itself upon user login:

File Attribute Manipulation

LegionLocker uses attrib.exe to set hidden, system, and read-only attributes on files in multiple directories:

This makes it difficult for users to locate and remove malicious files, as they won’t appear in standard directory listings without specifically configuring Explorer to show hidden and system files.

The combination of these persistence mechanisms demonstrates a thorough approach designed to make removal difficult and ensure the malware remains active even after attempted cleanup.

Ransom Demand and Communication Channel

LegionLocker uses a text-based ransom note and screen locker interface to communicate with victims:

Ransom Note Content

The ransomware drops “info-Locker.txt” files in multiple locations including:

• User’s Desktop
• User’s Documents folder
• User’s Downloads folder
• User’s profile root directory
• Public Desktop

The ransom note (translated from Russian) contains a brief message:

The inclusion of a random number may be an attempt to create unique identifiers for each victim, though it’s considerably less sophisticated than the UUID systems used by more advanced ransomware operations.

Screen Locker Interface

LegionLocker also creates a blue-screen interface with a more detailed ransom message. The interface informs victims:

LegionLocker ransom interface displayed after the malware terminates Explorer.exe. The screen has a distinctive blue background with Russian text that reads “Your files are encrypted!” and instructions to contact the attackers via Telegram.

• Their files have been encrypted
• The computer has been locked
• Any attempt to bypass the locker will cause permanent damage
• A 48-hour time limit exists for payment
• Contact must be made through Telegram

The screen locker component forcibly terminates Explorer.exe using the taskkill command:

This prevents normal interaction with the Windows desktop until the ransom is paid or the malware is removed.

Telegram Communication

Unlike more sophisticated ransomware operations that use TOR-based payment portals or secure messaging systems, LegionLocker simply directs victims to contact the operators through Telegram using the handle @xexeza. This simpler approach suggests the operation may be smaller and less established than major ransomware groups.

The use of Telegram provides the attackers with relatively secure, end-to-end encrypted communications while being more accessible to average users than TOR or specialized communication platforms like those used by larger ransomware operations.

Technical Indicators of Compromise

Organizations should monitor for the following indicators that may suggest a LegionLocker infection:

File System Artifacts

Registry Indicators

Behavioral Indicators

• Explorer.exe process being killed unexpectedly
• Multiple command prompt windows briefly appearing
• Creation of multiple text files with identical content in user directories
• Use of attrib.exe to modify file attributes
• Blue-screen ransom interface displayed on startup
• Unexpected execution of taskkill.exe
• Multiple desktop.ini files modified in a short timeframe

Mitigation and Protection Strategies

Protecting against LegionLocker requires comprehensive defense measures. Organizations should implement the following protective approaches:

Preventive Measures

• Email filtering: Implement advanced email security solutions to detect and block malicious attachments and links that could deliver the ransomware.
• User awareness training: Educate users about phishing techniques and suspicious file attachments.
• Endpoint protection: Deploy modern endpoint security solutions with behavioral detection capabilities.
• RDP security: Secure Remote Desktop Protocol connections with strong passwords, multi-factor authentication, and VPN requirements.
• Regular updates: Keep operating systems and applications updated with the latest security patches.

Detection and Response

• Registry monitoring: Implement monitoring for unexpected registry modifications, particularly to Winlogon and Run keys.
• Process monitoring: Watch for suspicious process execution patterns, especially unexpected termination of Explorer.exe.
• File attribute monitoring: Alert on mass file attribute changes using attrib.exe.
• IOC scanning: Regularly scan for indicators of compromise associated with LegionLocker.

Recovery Capabilities

• Offline backups: Maintain regular backups that are not accessible from potentially infected systems.
• System restore points: Enable and configure Windows System Restore before infection occurs.
• Safe boot procedures: Prepare documentation for safe mode boot procedures to access systems that may be locked by the ransomware.
• Incident response planning: Develop and test specific procedures for ransomware incidents, including LegionLocker removal.

Organizations should also develop specific incident response plans for screen locker ransomware like LegionLocker. As noted in our comprehensive malware removal guide, having established protocols in place before an attack occurs significantly reduces recovery time and potential damage.

Removal Steps for LegionLocker

If a system has been infected with LegionLocker, follow these steps to remove the malware:

Safe Mode Access

1. Force a hard shutdown of the infected computer by holding the power button.
2. Boot into Safe Mode with Command Prompt by repeatedly pressing F8 during startup (Windows 7) or using Shift+Restart and navigating to Troubleshoot > Advanced Options > Startup Settings (Windows 8/10/11).

Registry Cleanup

1. Once in Safe Mode with Command Prompt, type “regedit” and press Enter to launch Registry Editor.
2. Navigate to and delete the following registry entries:
   • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (reset to “explorer.exe”)
   • All malicious entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • All malicious entries under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

File Removal

1. Open Command Prompt and type: del "%USERPROFILE%\AppData\Local\Temp\lc.exe" del "%USERPROFILE%\Desktop\info-Locker.txt" del "%USERPROFILE%\Documents\info-Locker.txt" del "%USERPROFILE%\Downloads\info-Locker.txt" del "%PUBLIC%\Desktop\info-Locker.txt"
2. Run “explorer.exe” to restart the Windows Explorer process

Automated Removal

For a more thorough cleanup, Trojan Killer can automatically detect and remove all components of LegionLocker in a single scan, including hidden registry entries and files with modified attributes.

Comparison with Other Ransomware

LegionLocker differs from other ransomware families in several key aspects:

Compared to NBA Ransomware: While NBA Ransomware uses sophisticated components like Cobalt Strike and communicates through qTox, LegionLocker employs simpler techniques but focuses more on system locking in addition to encryption. NBA targets corporate networks with more advanced evasion mechanisms, while LegionLocker appears to target individual users with more aggressive screen locking.

Compared to Maximsru Ransomware: Both ransomware families communicate through direct messaging channels (Telegram for LegionLocker, email for Maximsru), but LegionLocker employs significantly more persistence mechanisms and adds screen locking functionality not present in Maximsru.

Compared to lockscreen ransomware: Unlike traditional screen lockers that only restrict access without file encryption, LegionLocker combines both approaches for maximum impact. This hybrid approach increases pressure on victims who not only lose access to their systems but also face data loss.

Conclusion

LegionLocker represents a concerning evolution in ransomware design, combining multiple attack vectors (screen locking and file encryption) with aggressive persistence mechanisms. While it lacks some of the more sophisticated features of enterprise-targeting ransomware like NBA or Krypt, its hybrid approach makes it particularly disruptive for home users and small businesses.

Key characteristics that define LegionLocker include:

• Hybrid screen locking and file encryption functionality
• Multiple persistence mechanisms including registry modifications
• Telegram-based ransom communication
• Aggressive file attribute manipulation to complicate removal
• Forced termination of Explorer.exe to prevent normal system usage
• Russian-language origin with signs of targeting international victims

The emergence of LegionLocker highlights the ongoing evolution of ransomware threats toward multi-faceted approaches that increase the pressure on victims to pay. Organizations and individuals should focus on preventive measures including robust backup strategies, email filtering, and endpoint protection solutions to reduce the risk of infection.

With proper security measures in place and regular system backups, the impact of LegionLocker and similar ransomware threats can be significantly mitigated, reducing the incentive for attackers to continue using these tactics.