Centurion_Legion Ransomware Removal Guide

Do you know what Centurion_Legion Ransomware is?

Centurion_Legion Ransomware comes from the same family of malware as Saraswati Ransomware, Green_ray Ransomware, JohnyCryptor Ransomware, and several other infections. It is easy to group these threats together because they share a very distinctive feature, the extension attached to the files encrypted by them. Yes, all of these infections are capable of encrypting files, and they do this as soon as they slither into your operating system. Unsurprisingly, all of these threats travel in the same way, and we have found that they usually exploit the backdoor opened up via spam emails. Any of these ransomware threats can be camouflaged as simple files attached to misguiding spam emails, and, if you are not careful, you might let them in unknowingly. In this report, we focus on the removal of Centurion_Legion Ransomware, and you should read it even if this malicious threat has not infected your operating system yet.

When Centurion_Legion Ransomware is launched, a malicious executable is created in the %APPDATA% directory. A Run key is added to the Windows Registry as well to ensure that the threat runs successfully. Once the encryption of your files is finalized, these components are automatically removed. Despite this, we have added the instructions (see the guide below) that will help you erase them from your PC in case the infection fails to erase them automatically. The encryption of your files is silent, and you are likely to recognize it only after the wallpaper on the Desktop is replaced with an image representing this notification.

Your data is encrypted!!
To return the file to an email email

Needless to say, the name of the malicious ransomware comes from the email address that its victims are urged to contact. Well, the malicious Centurion_Legion Ransomware is capable of encrypting .exe files, which means that you might be unable to contact cyber criminals from the infected machine, as your browsers will be locked. Although this is something we have seen when analyzing other threats within the family – some of which we have already mentioned – this is not a common practice for all ransomware infections. Most of them focus on personal files, such as documents, videos, photos, music files, etc., but do not disrupt the running of .exe files. It is most likely that the ransomware is set up to encrypt .exe files to disable antivirus software. Of course, reliable antivirus and anti-malware tools would not let this ransomware initiate encryption in the first place. Once encrypted, the files gain the ".id-[ID].centurion_legion@aol.com.xtbi" extension. This extension, as you can see, includes your ID and an email address that you are asked to contact via the Desktop wallpaper as well as the "How to decrypt your files.txt" file on the Desktop.Centurion_Legion Ransomware Removal GuideCenturion_Legion Ransomware screenshot
Scroll down for full removal instructions

According to our research, Centurion_Legion Ransomware does not eliminate Shadow Volume Copies, which means that the victims of this threat might be able to reverse the damage by restoring the system using a restore point. Unfortunately, not all users set up restore points, and not all of them back up their sensitive files using online storage clouds or external drives. While it is possible to replace .exe files, restoring personal files without a backup might be impossible. Of course, if you contact cyber criminals, you will be instructed to pay a ransom, and this supposedly should get your files decrypted. First of all, the ransom demanded by cyber crooks might be incredibly big. Second, paying this ransom is risky because cyber crooks cannot be trusted. Whether you lose your files, pay the ransom (not advisable), or use third-party decryption tools, make sure that you delete Centurion_Legion Ransomware from your computer.

N.B. The guide below shows how to erase this threat manually, but you should also install anti-malware software to ensure the elimination of the remaining malware, as well as the full-time protection from the threats that you might encounter in the future. Download the installer of the chosen anti-malware tool on a healthy machine, and transfer it onto the infected machine using a flash drive.

Remove Centurion_Legion Ransomware

  1. Delete the file called How to decrypt your files.txt on your Desktop.
  2. Simultaneously tap keys Win+E to access Explorer.
  3. Type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup into the address bar and tap Enter (if you are on Windows XP, enter %ALLUSERSPROFILE%\Start Menu\Programs).
  4. Delete these files: How to decrypt your files.jpg, How to decrypt your files.txt, [random name].exe.
  5. Type %UserProfile% into the address bar and tap Enter.
  6. Delete the file called How to decrypt your files.jpg.
  7. Type %APPDATA% into the address bar and tap Enter.
  8. Delete the file called [random name].exe.
  9. Simultaneously tap keys Win+R to launch RUN.
  10. Type regedit.exe into the dialog box and click OK to launch Registry Editor.
  11. Move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  12. Delete the value with the random name (e.g., odgdgdem). The value data of this value should represent the [random name].exe file in the %APPDATA% directory.
  13. Move to HKEY_CURRENT_USER\Control Panel\Desktop.
  14. Delete the value called Wallpaper. The value data should represent How to decrypt your files.jpg.

In non-techie terms:

Centurion_Legion Ransomware is the perfect tool in the hands of cyber criminals. If a restore point is not set up and backup copies do not exist, the victims of this infection have two choices regarding their files: They either lose these files or they pay the ransom. Of course, it is possible that third-party decrypters could help, but, in general, these are the options that the victims are left with. Hopefully, you can restore your files without dealing with unpredictable cyber criminals. Paying the ransom is not what we advise at all because there is a risk of losing money with nothing in return. If you choose to use anti-malware software for the removal of the ransomware and the protection of your PC, you need to transfer the installer from a malware-free machine. If you choose to proceed manually, use the guide above.