At the end of 2025, analysts at F6 identified a malicious program that did not fit typical modern ransomware patterns. The sample initially looked like a classic ransomware strain, allegedly encrypting all user data. Detailed reverse engineering, however, showed that no file encryption took place. Instead, the malware operated as a winlocker—blocking access to Windows and only simulating a ransomware attack.
From File-Encrypting Ransomware to Winlocker Ransomware: Why Old Tactics Return
Locker-type extortion malware largely disappeared from the mainstream threat landscape after 2015, displaced by file-encrypting ransomware that directly targets data and yields higher profits. Industry reports from ENISA and other organizations consistently show that data encryption and double extortion have dominated the ransomware ecosystem over the last years.
Despite this, winlocker ransomware remains attractive to some cybercriminals. It is simpler to develop, cheaper to operate, and particularly effective against home users and small businesses that may lack mature incident response capabilities. The newly observed sample, posing as “Legion ransomware,” illustrates this trend: the ransom note claims that “all files and disks are encrypted by the Legion team,” yet in reality the malware only locks the operating system interface and intercepts critical keyboard shortcuts.
Attribution: Links Between Legion Winlocker and NyashTeam Malware-as-a-Service
Analysis of ransom notes and artifacts embedded within the binary revealed consistent overlaps with activity associated with the NyashTeam cybercriminal group. According to F6, NyashTeam has been active since at least 2022 and operates under a Malware-as-a-Service (MaaS) model, selling ready-made tools and infrastructure to affiliates.
An internal PDB path found in the executable—C:\Users\123quig\Desktop\Новая папка\obj\Release\net40\lc.pdb—indicates a likely Russian-speaking developer. Previous NyashTeam customers have targeted victims in more than 50 countries, with the largest share of infections observed in Russia. In mid‑2025, F6 disrupted part of the group’s infrastructure by taking down over 110 domains in the .ru zone, yet the new Legion winlocker campaign demonstrates that the group remains operational.
Technical Analysis of the Legion Winlocker Ransomware
Anti-VM and Sandbox Evasion Techniques
The Legion winlocker includes an Anti-VM module designed to evade analysis in virtual machines and sandboxes. Before executing its main payload, the malware checks whether it is running in a virtualized environment by inspecting system attributes such as computer name and hardware vendor for strings like “VPS,” “vmware,” or “VirtualBox.” If such indicators are found, the program exits with an error. This approach significantly complicates both static and dynamic analysis performed by security researchers and automated detection systems.
System Lock Mechanism and Fake Ransomware Behavior
After execution, the winlocker creates ransom notes on accessible drives, starting from D: and above, then displays a fake “operating system boot” window with alleged critical errors. No reboot or encryption actually occurs; the entire sequence is a visual simulation designed to pressure the victim into paying.
The core capability of the Legion winlocker is its interception of system keyboard shortcuts, including Ctrl+Alt+Del, Alt+F4, and Win+L. Attempts to launch Task Manager, lock the workstation, or close the malicious window are blocked, effectively preventing the user from interacting with Windows without entering an unlock code.
Unlock Code Generation and Extortion Logic
The malware generates a unique victim identifier based on the system launch time. The unlock code is derived from a predictable formula: nyashteam***0c0v11 + launch time. Once the correct code is entered, the winlocker removes itself from Windows Autorun and terminates. This behavior confirms that the goal is financial extortion rather than data destruction, aligning with typical ransomware economics where attackers seek fast payouts from non-technical victims.
Campaign Evolution: From CryptoBytes Winlocker to SalatStealer and WebRAT
Additional research indicates that similar winlocker ransomware was used as early as July 2022. At that time, ransom notes referenced the CryptoBytes hacker group, and the winlocker was sold via winlocker-site[.]github[.]io, which redirected to winlocker[.]ru. Several accounts mentioned in 2022–2023 notes are now inactive, but the seller profile @Haskers*** remains live. In the 2025 notes, a new contact @nyashteam*** appears, logically tying the Legion campaign to NyashTeam’s MaaS operations.
Following the partial takedown of NyashTeam’s infrastructure in July 2025, F6 continued monitoring. Between July 2025 and January 2026, admin panels for WebRAT—an enhanced successor to SalatStealer that combines information-stealing and remote access trojan (RAT) functionality—were identified on domains such as salator[.]es, webrat[.]uk, wrat[.]in, salat[.]cn, and salator[.]ru. The recurring use of webrat and salat in domain names provides valuable indicators of compromise (IoCs) for security teams.
Infection Vectors: Cracks and Game Cheats as Effective Social Engineering
Infrastructure associated with these domains also hosted malicious samples detected as SalatStealer. Based on file names and context, the primary delivery channel involved public file-sharing platforms, where executables were disguised as cracks and cheats for popular games, including CS2 and Roblox.
This method of social engineering targets teenagers and the broader gaming community, where trust in unofficial downloads is often significantly lower than in enterprise environments. Similar tactics have been documented in multiple real-world cases, where cheats and mods were used to distribute stealers, RATs, and miners. For attackers, this segment offers a large pool of potential victims and valuable assets such as game accounts, payment instruments, and social media credentials.
The analysis of the Legion winlocker and related campaigns demonstrates that NyashTeam has not ceased operations despite infrastructure disruptions. The group continues to market winlockers, stealers, and RAT solutions under a MaaS model, while adopting anti-analysis measures and consistent domain patterns. To reduce the risk of infection, organizations and individuals should strengthen basic cyber hygiene: download software only from official sources, block access to untrusted file-sharing and “warez” sites, deploy up‑to‑date EDR/antivirus solutions, and continuously monitor IoCs linked to webrat*/salat* domains. Regular security awareness training—especially for users actively involved in gaming and unofficial modifications—remains one of the most effective ways to prevent compromise by winlocker ransomware and credential-stealing malware.
