Enigma Ransomware and .Enigma Encrypted Files – Remove It and Restore Them - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Enigma Ransomware and .Enigma Encrypted Files – Remove It and Restore Them

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Enigma and other threats.
Threats such as Enigma may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

password-brute-force-stforumAttacks by a ransomware discovered in April that is reportedly associated with Russia, carrying the name Enigma, have been reported to be rapidly rising. This nasty cyber threat encrypts the files of users using a strong AES encryption algorithm after which displays a ransom message, written in Russian. The ransom note aims to scare the user into paying, notifying him that there is no other option. However, it is strongly recommended not to pay any ransom demanded by this ransomware and attempt to restore your files using alternative solutions, such as the ones posted in this article.

Threat Summary

NameEnigma
TypeRansomware
Short DescriptionThe ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file. A .ENIGMA file exension is added to the encrypted files.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Enigma

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

ransom-note-enigma-ransomware

Enigma Ransomware – Distribution

According to researchers at the independent MalwareHunterTeam, to be spread throughout user PCs this crypto-malware may employ a Javascript attack via an HTML attachment. Such attachments may be redistributed via different places online:

  • Spam e-mail messages.
  • File sharing websites or services.
  • Web links posted on the social media.
  • HTML files sent out in combination with other setups, programs or archived files.

The interesting part is once the user clicks on the web link it immediately opens up another web browser page and manipulates the JavaScript so that it downloads its ransomware executable and save it on the victim’s computer.

Enigma Ransomware – More About It

The malicious executable downloaded onto the user’s computer is reported to have a completely random alpha-numerical name, for example:

  • 02s93d3d3hdsa9nc32nenc9a39dad.exe

This is a commonly used technique by ransomware to assist in concealing the executable by making it harder to find. In addition to this, the malware may also use obfuscators (https://sensorstechforum.com/obfuscation-in-malware-the-key-to-a-successful-infection/) to conceal its malicious executable while its encrypting your files.

Furthermore, Enigma ransomware, may create the following files in key Windows folders:

  • A text document in %Temp%.
  • A text document in %AppData%.
  • A .dat file on the Desktop which most likely looks for files to encrypt.
  • A .hta file on the Desktop..
  • A .RSA file on the desktop which most likely contains the encryption key.
  • A .txt file on the desktop which contains the ransom message written in Russian.
  • Its primary malicious executable, located in the folder where the user downloads files from the browser

In addition to that, the ransomware has been reported by researchers to create several Registry keys associated with the Enigma Ransomware, like the entry to make the malicious file encrypting .exe run on startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

After the malicious executable created by Enigma Ransomware is activated, it may begin to scan and encrypt file extensions that belong to the following types of data.

  • Videos.
  • Photos.
  • Songs.
  • Databases.
  • Other.

More specifically the files it scans for and encrypts have been reported by Symantec engineers to be the following:

→ .1cd .3dc .aes .asm .asp .asp .aspx .avi .bat .bmp .bz2 .bza .bzip .bzip2 .cad .cdr .cmd .cpp .crt .csr .csv .czip .dat .dbf .dif .djv .djvu .doc .docb .docm .docx .dwg .fla .gif .gz2 .gza .gzi .gzip .hdoc .html .hwp .java .jpeg .jpg .key .kwm .lzma .max .mdb .mdb .mkv .mml .mov .mpeg .mpg .odg .odp .ods .odt .odt .otg .otp .ots .ott .pas .pem .php .php .png .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .ppt .pptm .pptx .pptx .psd .rar .rtf .rtf .slk .sln .sql .sqlite .sqlite .sqlite3 .sqlitedb .sqx .sqz .srep .stc .std .sti .stw .swf .sxc .sxi .sxm .sxw .tar .taz .tbk .tbz .tbz2 .tgz .tif .tiff .tlz .tlzma .tsk .tx_ .txt .txz .uc2 .uot .vbs .vdi .wks .wmv .xlc .xlm .xls .xlsb .xlsm .xlsx .xlsx .xlt .xltm .xltx .xlw .zip .zip .zipx .zix

Not only this, but the researchers there have also discovered that the Enigma Ransomware also deletes user files with the following extensions:

→ .73b .113 .$db .aba .abf .abk .acp .as4 .asd .ashbak .asvx .ate .ati .bac .bak .bak~ .bak2 .bak3 .bakx .bbb .bbz .bck .bckp .bcm .bk1 .bkc .bkf .bkp .bks .blend1 .blend2 .bm3 .bpa .bpb .bpm .bpn .bps .bup .cbk .cbu .ck9 .crds .da0 .dash .dba .dbk .diy .dna .dov .fbc .fbf .fbk .fbu .fbw .fhf .flka .flkb .fpsx .ftmb .ful .fza .gb1 .gb2 .gbp .gho .ghs .icf .ipd .iv2i .jbk .jdc .kb2 .lcb .llx .mbk .mbw .mddata .mdinfo .mem .mig .mpb .mv_ .nb7 .nba .nbak .nbd .nbf .nbi .nbk .nbs .nbu .nco .nfb .nfc .npf .nps .nrbak .nrs .nwbak .obk .oeb .old .onepkg .ori .orig .paq .pbb .pbj .qba.tlg .qbb .qbk .qbm .qbmb .qbmd .qbx .qic .qsf .qv~ .rbc .rbf .rbk .rbs .rdb .rgmb .rmbak .rrr .sbb .sbs .sbu .skb .sn1 .sn2 .sna .sns .spf .spg .spi .srr .stg .sv$ .sv2i .tbk .tdb .tig .tis .tlg .tmr .trn .ttbk .uci .v2i .vbk .vbm .vrb .wbb .wbcat .win .wjf .wpb .wspak .xlk .yrcbck .vpcbackup

The ransomware claims to use AES – 128 algorithm, and it may use an RSA cypher to encrypt the private key without which the decryption is impossible. The files that are encrypted have the .enigma file extension appended to them, for example:

  • New Text Document.txt.enigma

After encrypting the data, the ransomware may drop a .txt file with the ransom message written in Russian:

→ Мы зашифровали важные файлы на вашем компьютере: документы, базы данных, фото, видео, ключи.
Файлы зашифрованны алгоритмом AES 128(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) с приватным ключем,который знаем только мы.
Зашифрованные файлы имеют расширение .ENIGMA . Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.
Если хотите получить файлы обратно:
1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://249fj203923jd.onion в тор-браузере и авторизуйтесь с помощью ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор
Translation:
We have encrypted important files on your PC: documents, databases, pictures, videos, keys.
The files are encrypted via AES-128 encryption algorithm(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key known only to us.
The encrypted files have the extension .ENIGMA. To decrypt the files without the private key is IMPOSSIBLE.
If you want to get your files back:
1)Install Tor Browser https://www.torproject.org/
2)Find on your desktop the key for accessing the ENIGMA_ (your key number).RSA
3)Go to the website http://249fj203923jd.onion in Tor Browser and login via ENIGMA_(your key number).RSA
4)Follow the instructions on the site and download the decoder.

Remove Enigma Ransomware and Restore .Enigma Encrypted Files

To remove this crypto-malware completely from your computer, we strongly advise you to follow the instructions in the removal accordion below. They will assist with removing all of the files associated with Enigma ransomware from your device.

To decrypt your data, make sure that Enigma ransomware has been reported to leave Volume Shadow Copies intact, you if you have File History in Windows turned on, make sure to get your files back using this method. If this is not the case, you may want to try by using the alternative file restoration methods which we have provided after this article.

Note! Your computer system may be affected by Enigma and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Enigma.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Enigma follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Enigma files and objects
2. Find files created by Enigma on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Enigma

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...