Enigma Ransomware and .Enigma Encrypted Files – Remove It and Restore Them - How to, Technology and PC Security Forum | SensorsTechForum.com

Enigma Ransomware and .Enigma Encrypted Files – Remove It and Restore Them

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

password-brute-force-stforumAttacks by a ransomware discovered in April that is reportedly associated with Russia, carrying the name Enigma, have been reported to be rapidly rising. This nasty cyber threat encrypts the files of users using a strong AES encryption algorithm after which displays a ransom message, written in Russian. The ransom note aims to scare the user into paying, notifying him that there is no other option. However, it is strongly recommended not to pay any ransom demanded by this ransomware and attempt to restore your files using alternative solutions, such as the ones posted in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA algorithm and AES-128 ciphers and asks a ransom for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file. A .ENIGMA file exension is added to the encrypted files.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Enigma


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


Enigma Ransomware – Distribution

According to researchers at the independent MalwareHunterTeam, to be spread throughout user PCs this crypto-malware may employ a Javascript attack via an HTML attachment. Such attachments may be redistributed via different places online:

  • Spam e-mail messages.
  • File sharing websites or services.
  • Web links posted on the social media.
  • HTML files sent out in combination with other setups, programs or archived files.

The interesting part is once the user clicks on the web link it immediately opens up another web browser page and manipulates the JavaScript so that it downloads its ransomware executable and save it on the victim’s computer.

Enigma Ransomware – More About It

The malicious executable downloaded onto the user’s computer is reported to have a completely random alpha-numerical name, for example:

  • 02s93d3d3hdsa9nc32nenc9a39dad.exe

This is a commonly used technique by ransomware to assist in concealing the executable by making it harder to find. In addition to this, the malware may also use obfuscators (https://sensorstechforum.com/obfuscation-in-malware-the-key-to-a-successful-infection/) to conceal its malicious executable while its encrypting your files.

Furthermore, Enigma ransomware, may create the following files in key Windows folders:

  • A text document in %Temp%.
  • A text document in %AppData%.
  • A .dat file on the Desktop which most likely looks for files to encrypt.
  • A .hta file on the Desktop..
  • A .RSA file on the desktop which most likely contains the encryption key.
  • A .txt file on the desktop which contains the ransom message written in Russian.
  • Its primary malicious executable, located in the folder where the user downloads files from the browser

In addition to that, the ransomware has been reported by researchers to create several Registry keys associated with the Enigma Ransomware, like the entry to make the malicious file encrypting .exe run on startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

After the malicious executable created by Enigma Ransomware is activated, it may begin to scan and encrypt file extensions that belong to the following types of data.

  • Videos.
  • Photos.
  • Songs.
  • Databases.
  • Other.

More specifically the files it scans for and encrypts have been reported by Symantec engineers to be the following:

→ .1cd .3dc .aes .asm .asp .asp .aspx .avi .bat .bmp .bz2 .bza .bzip .bzip2 .cad .cdr .cmd .cpp .crt .csr .csv .czip .dat .dbf .dif .djv .djvu .doc .docb .docm .docx .dwg .fla .gif .gz2 .gza .gzi .gzip .hdoc .html .hwp .java .jpeg .jpg .key .kwm .lzma .max .mdb .mdb .mkv .mml .mov .mpeg .mpg .odg .odp .ods .odt .odt .otg .otp .ots .ott .pas .pem .php .php .png .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .ppt .pptm .pptx .pptx .psd .rar .rtf .rtf .slk .sln .sql .sqlite .sqlite .sqlite3 .sqlitedb .sqx .sqz .srep .stc .std .sti .stw .swf .sxc .sxi .sxm .sxw .tar .taz .tbk .tbz .tbz2 .tgz .tif .tiff .tlz .tlzma .tsk .tx_ .txt .txz .uc2 .uot .vbs .vdi .wks .wmv .xlc .xlm .xls .xlsb .xlsm .xlsx .xlsx .xlt .xltm .xltx .xlw .zip .zip .zipx .zix

Not only this, but the researchers there have also discovered that the Enigma Ransomware also deletes user files with the following extensions:

→ .73b .113 .$db .aba .abf .abk .acp .as4 .asd .ashbak .asvx .ate .ati .bac .bak .bak~ .bak2 .bak3 .bakx .bbb .bbz .bck .bckp .bcm .bk1 .bkc .bkf .bkp .bks .blend1 .blend2 .bm3 .bpa .bpb .bpm .bpn .bps .bup .cbk .cbu .ck9 .crds .da0 .dash .dba .dbk .diy .dna .dov .fbc .fbf .fbk .fbu .fbw .fhf .flka .flkb .fpsx .ftmb .ful .fza .gb1 .gb2 .gbp .gho .ghs .icf .ipd .iv2i .jbk .jdc .kb2 .lcb .llx .mbk .mbw .mddata .mdinfo .mem .mig .mpb .mv_ .nb7 .nba .nbak .nbd .nbf .nbi .nbk .nbs .nbu .nco .nfb .nfc .npf .nps .nrbak .nrs .nwbak .obk .oeb .old .onepkg .ori .orig .paq .pbb .pbj .qba.tlg .qbb .qbk .qbm .qbmb .qbmd .qbx .qic .qsf .qv~ .rbc .rbf .rbk .rbs .rdb .rgmb .rmbak .rrr .sbb .sbs .sbu .skb .sn1 .sn2 .sna .sns .spf .spg .spi .srr .stg .sv$ .sv2i .tbk .tdb .tig .tis .tlg .tmr .trn .ttbk .uci .v2i .vbk .vbm .vrb .wbb .wbcat .win .wjf .wpb .wspak .xlk .yrcbck .vpcbackup

The ransomware claims to use AES – 128 algorithm, and it may use an RSA cypher to encrypt the private key without which the decryption is impossible. The files that are encrypted have the .enigma file extension appended to them, for example:

  • New Text Document.txt.enigma

After encrypting the data, the ransomware may drop a .txt file with the ransom message written in Russian:

→ Мы зашифровали важные файлы на вашем компьютере: документы, базы данных, фото, видео, ключи.
Файлы зашифрованны алгоритмом AES 128(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) с приватным ключем,который знаем только мы.
Зашифрованные файлы имеют расширение .ENIGMA . Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.
Если хотите получить файлы обратно:
1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://249fj203923jd.onion в тор-браузере и авторизуйтесь с помощью ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор
We have encrypted important files on your PC: documents, databases, pictures, videos, keys.
The files are encrypted via AES-128 encryption algorithm(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key known only to us.
The encrypted files have the extension .ENIGMA. To decrypt the files without the private key is IMPOSSIBLE.
If you want to get your files back:
1)Install Tor Browser https://www.torproject.org/
2)Find on your desktop the key for accessing the ENIGMA_ (your key number).RSA
3)Go to the website http://249fj203923jd.onion in Tor Browser and login via ENIGMA_(your key number).RSA
4)Follow the instructions on the site and download the decoder.

Remove Enigma Ransomware and Restore .Enigma Encrypted Files

To remove this crypto-malware completely from your computer, we strongly advise you to follow the instructions in the removal accordion below. They will assist with removing all of the files associated with Enigma ransomware from your device.

To decrypt your data, make sure that Enigma ransomware has been reported to leave Volume Shadow Copies intact, you if you have File History in Windows turned on, make sure to get your files back using this method. If this is not the case, you may want to try by using the alternative file restoration methods which we have provided after this article.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share