New Enigma 2 Ransomware Remove and Restore .1txt Files - How to, Technology and PC Security Forum |

New Enigma 2 Ransomware Remove and Restore .1txt Files

enigma-ransomware-2-new-sensorstechforumFirst discovered in May, Enigma ransomware targeted only Russian users. This virus, however, has been released in a new variant that may attack users on a global scale if distributed massively. The new version of Enigma ransomware uses “enigma_info.txt” file which it drops after the encryption process is completed. Similar to the first version, this one also uses RSA encryption patterns to render files no longer openable until a ransom has been paid. Users who have been infected are advised under no circumstances to pay any form of ransom to the cyber-criminals behind Enigma Ransomware because this is no guarantee that the files will be reverted to normal and also it is supporting the malicious organization of the cyber-criminals as well. Instead, it is advisable to immediately remove all associated files with Enigma 2 Ransomware from your computer and attempt to restore the files yourself using the information in this article until a free decrypter is released.

Threat Summary

NameEnigma 2
Short DescriptionThe ransomware encrypts files with the RSA algorithm and asks a ransom payoff for decryption.
SymptomsFiles are encrypted with an added .1txt file extension to them and become inaccessible. A ransom note with instructions for paying the ransom shows as a file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Enigma 2


Malware Removal Tool

User ExperienceJoin our forum to Discuss Enigma 2 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Enigma 2 Ransomware – How Does It Spread

Phishing e-mails are the most commonly used method by which Enigma 2 ransomware may be replicated. The virus may use notorious services like LinkedIn, Facebook, PayPal, banks and others to create fake phishing e-mails based on the original e-mails from those services. Then the spam messages may be massively sent via spam bots. The malicious files of Enigma 2 ransomware may be downloaded via a Trojan Downloader or an exploit kit that is featured in the e-mails as a malicious attachment. Such e-mail attachments may be disguised as legitimate Microsoft Word, Excel, PowerPoint or Adobe documents.

But attachments are not the only infection method to worry about. The Enigma 2 malware may spread via fake web links and fake social media buttons, like “Add as friend”, for example in the e-mails.

Enigma 2 Ransomware – In-Depth Information

As soon as it has infected your computer, Enigma 2 begins to quietly drop it’s modules without any notice. The files dropped by the virus may be of different file types:

→ .bat, .cmd, .exe, .vbs, .tmp, .dll

There is the main file that encrypts user data and other supporting files, all known as modules of the Enigma 2 virus. These modules are responsible for different activities, like deleting the local backups of the infected computer, for example, using the vssadmin command:


The ransomware may also situate files in the %Startup% Windows directory so that they run every time Windows starts. In addition to this, Windows Registry Editor keys may also become a target of Enigma 2 ransomware in order for the virus to run on startup.


As soon as the executable responsible for encrypting files runs, it immediately begins to encipher widely used file types, for example:


After this has been performed, the files are locked with the .1txt file extension appended to them. They may appear as the picture below displays:


To encipher files, the Enigma 2 Ransomware may either use RSA cipher or use both AES and RSA algorithms, one to encrypt the files and the other to encrypt the decryption .key file and send it to the command and control server of the cyber-criminals.

Remove Enigma 2 Ransomware and Restore .1txt Files

In order to fully erase Enigma 2 Ransomware it is strongly advisable to focus on following the removal instructions that are posted below. Malware research experts also recommend to use an anti-malware software which will make sure that the files and other objects are permanently erased from the user PC.

To attempt and restore your files in case they have been encrypted by Enigma 2, you will have to look for different alternatives, like the ones in step “2. Restore files encrypted by Enigma 2” below until a free decryptor is publicly released out into the open. Bear in mind that if you try to decrypt the files yourself, you do it solely at your own risk and the file recovery methods may not be 100% effective but they may restore some of your important files.

Manually delete Enigma 2 from your computer

Note! Substantial notification about the Enigma 2 threat: Manual removal of Enigma 2 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Enigma 2 files and objects
2.Find malicious files created by Enigma 2 on your PC

Automatically remove Enigma 2 by downloading an advanced anti-malware program

1. Remove Enigma 2 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Enigma 2
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.