LIGMA Virus Removal – Restore Infected Computers and .CRYPTR Files

LIGMA Virus Removal – Restore Infected Computers and .CRYPTR Files

LIGMA image ransomware note .CRYPTR extension

The LIGMA virus is an original ransomware that can cause irreversible damage to the infected computers. It’s modules include an advanced protective engine that can counter any security tools installed on the system. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.

Threat Summary

NameLIGMA virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .CRYPTR extension and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by LIGMA virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss LIGMA virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

LIGMA Virus – Distribution Ways

The LIGMA virus is a ransomware threat that has been identified in a global attack campaign. The volume of the attacks are low which signals that the ransomware campaigns are probably a testing release or a sampling of its initial capabilities. Due to the fact that the analysts have not been able to identify a main method we presume that the most popular ones are going to be used.

A common distribution tactic is to rely on phishing email messages, they use various social engineering scams in order to manipulate the victim users into interacting with a malicious element. The messages are designed to appear as notifications such as password reminders, software updates and etc. The criminals will guide the victims into downloading and running an infected executable file or clicking on a hyperlink that will lead to a virus-infected file.

Another tactic would be to create fake download sites that are fake copies of vendor download sites and popular Internet portals. They are created in a similar manner to the email messages and may spread both the virus files or any infected payload carriers. They are carriers of the virus that come under various forms. One of the most common types is the inclusion of the virus code into documents. The installation procedure is through the macros that are built into them. As such all popular file types can be affected: rich text documents, spreadsheets, databases and presentations. Once they are opened by the victims a notification prompt will appear asking them to enable the built-in scripts. If this is done the virus infection will follow.

The other common payload carrier is the inclusion of malware code into application installers. They are legitimate software setup files taken from the official vendor download sites which are modified with the malware code. They are then distributed using the various delivery methods.

To further increase the chance of acquiring a virus infection the criminals can opt to use file-sharing networks such as BitTorrent, they are popular for spreading both legitimate and pirate content.

Infection tactics may also include the inclusion of the virus files via infected web browsers plugins. They are hacker-modified or created plugins made for the most popular web browsers. They are uploaded to the relevant repositories using fake user reviews and developer credentials. Their descriptions often include promises of adding new functionality or enhancing already existing ones. Once they are installed the code will automatically redirect the users to a specific hacker-controlled site by manipulating the web browsers settings — home page, search engine and new tabs page. Following this the LIGMA virus will be installed.

LIGMA Virus – In-Depth Analysis

The security analysis of the captured LIGMA virus reveals that it does not contain any code taken from any of the famous ransowmare families. This means that it is very probable that it has been created by the hacker or criminal collective behind it. The alternative hypothesis is that it has been bought on the underground hacker markets. So far we have no information about the identity of the perpetrators. The captured attacks do not seem to be against a specific country or language which signals that the criminal intent is against all users.

There are interesting modules available in this threat. The available analysis shows that the virus is built around an engine that calls different functions. Upon infection it will follow a predesigned behavior pattern.

A main process that controls the additonal modules will be spawned It will launch a combined information harvesting and stealth protection module.

The virus engine will scan the infected host for any security software that can interfere with the virus execution. This is done via signature scans that look for anti-virus engines, as well as virtual machine hosts and debug environments. The engine will terminate them and in certain cases can altogether delete the software. The developers of the LIGMA virus have implemented a protective layer which prevents system administrators and analysts from following its execution.

Following the virus’s infection onto the operating system it can proceed with various system changes such as the following:

  • Files Manipulation — The LIGMA virus can delete user files, modify existing ones and also drop files that belong to the virus.
  • System Access — LIGMA virus commands can help the engine achieve administrative privileges, access removable storage devices and available network shares. This also helps it to disable the Windows Firewall rules, start its own processes and hook up to others.
  • Virus Report — The engine can report the infections to a hacker-controlled server automatically.

The fact that the infection framework allows for a variety of modules to be launched on the infected system, in some cases this may include Trojans. The typical case would follow the LIGMA virus to establish a connection to a hacker-controlled server. It allows the criminal operators to spy on the victims in real-time, as well as take over their machines and deploy other threats.

Users can also expect Windows Registry modifications that can affect both the operating system strings and those belonging to any user-installed applications. As a result the victim users may expect overall performance issues and the inability to start certain functions.

LIGMA Virus — Encryption

Instead of using an ordinary ransomware behavior pattern the LIGMA virus also includes a dangerous Master Boot Record (MBR) wiper. This means that not only sensitive user data will be processed, but the LIGMA virus will also delete the boot records. This will make it very difficult to restore infected hosts. The files themselves will be encrypted with the AES-256 cipher.

The ransomware engine will process files according to a built-in list. The captured samples have been shown to encrypt the following extensions:

.0, .1st, .3dm, .3mf, .600, .602, .7z, .7zip, .a, .aaf, .abw, .accdb, .acl, .aep, .aepx, .aet,
.ahk, .ai, .aps, .as, .asc, .asp, .aspx, .assets, .asx, .avi, .bas, .bep, .bmp, .c, .cbf, .cbfx,
.cer, .cfa, .class, .config, .contact, .cpp, .cs, .css, .csv, .dat, .db, .dbf, .deb, .dic, .doc,
.docb, .docm, .docx, .dot, .dotm, .dotx, .dvi, .dwg, .dxf, .ebf, .ebfx, .ebuild, .efx, .eps, .ev3,
.ev3, .exp, .fits, .fla, .flv, .fnt, .gif, .go, .gz, .gz, .h, .hmg, .htm, .html, .ico, .idml, .ilk,
.inc, .indb, .indd, .indl, .indt, .inx, .iso, .jar, .java, .jpeg, .jpg, .js, .json, .ldr, .lic, .loc,
.lock, .log, .lxf, .m3u8, .m4a, .max, .mcfunction, .mcmeta, .md2, .md3, .md4, .md5, .mdb, .mkv, .mp3,
.mp4, .mpeg, .mpg, .msg, .msi, .nc, .ncb, .nut, .obj, .object, .odf, .odp, .odt, .ogg, .otf, .pdb, .pdf,
.pek, .pez, .php, .php?, .piv, .pkf, .pl, .plb, .plg, .pm, .pmd, .png, .pot, .potm, .potx, .pov, .ppj, .pps,
.ppt, .pptm, .pptx, .prefs, .prel, .prfpset, .prproj, .prsl, .ps, .ps, .ps, .psc, .psd, .psm1, .py, .python,
.rar, .raw, .rb, .rbt, .rc, .res, .resource, .resx, .rex, .rtf, .ru, .rxe, .s3, .sdf, .sdl, .ses, .silo, .sln,
.sql, .sti, .svg, .swf, .swift, .tab, .tar.gz, .tdf , .tif, .tiff, .tpk, .txt, .udo, .umod, .vb, .vcf, .vob,
.w3d, .war, .webp, .wmv, .wpd, .wps, .wtv, .wve, .x, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt,
.xltm, .xltx, .xlw, .xml, .xmp, .xpl, .xps, .xqx, .xsl-fo, .z, .zip

All victim files will be renamed with the .ForgiveME extension. Following the MBR code deletion once the process is complete the users will view a green text screen with black background showing the following text:

This PC is dead because you did n’t follow the rules.
Your PC will never work again.
NOTE: Even if you fix the MBR your Your PC Is Dead.
Entire Registry is Fucked and your files are infected.

Remove LIGMA virus and Restore Encrypted Files

If your computer system got infected with the LIGMA virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share