First discovered in May, Enigma ransomware targeted only Russian users. This virus, however, has been released in a new variant that may attack users on a global scale if distributed massively. The new version of Enigma ransomware uses “enigma_info.txt” file which it drops after the encryption process is completed. Similar to the first version, this one also uses RSA encryption patterns to render files no longer openable until a ransom has been paid. Users who have been infected are advised under no circumstances to pay any form of ransom to the cyber-criminals behind Enigma Ransomware because this is no guarantee that the files will be reverted to normal and also it is supporting the malicious organization of the cyber-criminals as well. Instead, it is advisable to immediately remove all associated files with Enigma 2 Ransomware from your computer and attempt to restore the files yourself using the information in this article until a free decrypter is released.
|Short Description||The ransomware encrypts files with the RSA algorithm and asks a ransom payoff for decryption.|
|Symptoms||Files are encrypted with an added .1txt file extension to them and become inaccessible. A ransom note with instructions for paying the ransom shows as a file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by Enigma 2 |
Malware Removal Tool
|User Experience||Join our forum to Discuss Enigma 2 Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Enigma 2 Ransomware – How Does It Spread
Phishing e-mails are the most commonly used method by which Enigma 2 ransomware may be replicated. The virus may use notorious services like LinkedIn, Facebook, PayPal, banks and others to create fake phishing e-mails based on the original e-mails from those services. Then the spam messages may be massively sent via spam bots. The malicious files of Enigma 2 ransomware may be downloaded via a Trojan Downloader or an exploit kit that is featured in the e-mails as a malicious attachment. Such e-mail attachments may be disguised as legitimate Microsoft Word, Excel, PowerPoint or Adobe documents.
But attachments are not the only infection method to worry about. The Enigma 2 malware may spread via fake web links and fake social media buttons, like “Add as friend”, for example in the e-mails.
Enigma 2 Ransomware – In-Depth Information
As soon as it has infected your computer, Enigma 2 begins to quietly drop it’s modules without any notice. The files dropped by the virus may be of different file types:
→ .bat, .cmd, .exe, .vbs, .tmp, .dll
There is the main file that encrypts user data and other supporting files, all known as modules of the Enigma 2 virus. These modules are responsible for different activities, like deleting the local backups of the infected computer, for example, using the vssadmin command:
The ransomware may also situate files in the %Startup% Windows directory so that they run every time Windows starts. In addition to this, Windows Registry Editor keys may also become a target of Enigma 2 ransomware in order for the virus to run on startup.
As soon as the executable responsible for encrypting files runs, it immediately begins to encipher widely used file types, for example:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com
After this has been performed, the files are locked with the .1txt file extension appended to them. They may appear as the picture below displays:
To encipher files, the Enigma 2 Ransomware may either use RSA cipher or use both AES and RSA algorithms, one to encrypt the files and the other to encrypt the decryption .key file and send it to the command and control server of the cyber-criminals.
Remove Enigma 2 Ransomware and Restore .1txt Files
In order to fully erase Enigma 2 Ransomware it is strongly advisable to focus on following the removal instructions that are posted below. Malware research experts also recommend to use an anti-malware software which will make sure that the files and other objects are permanently erased from the user PC.
To attempt and restore your files in case they have been encrypted by Enigma 2, you will have to look for different alternatives, like the ones in step “2. Restore files encrypted by Enigma 2” below until a free decryptor is publicly released out into the open. Bear in mind that if you try to decrypt the files yourself, you do it solely at your own risk and the file recovery methods may not be 100% effective but they may restore some of your important files.