Enigma Ransomware

The malicious Enigma Ransomware is an infection that is targeted at users in the Russian-speaking region. This dangerous threat employs an HTML/JavaScript based installer with an executable embedded within it. This installer might be concealed as an inconspicuous email attachment, and you might download and open it without even suspecting a threat. Once opened, an executable is created, saved on the hard drive, and then executed to initiate malicious activity. According to our research, one version of the JavaScript file that creates this executable is called “Свидетельство о регистрации частного предприятия.js”, and the name of the executable it creates has a random combination of characters. If you do not stop these malicious files, they will soon encrypt your personal files, and decrypting them might be impossible. Of course, even if you manage to decrypt them, you will need to remove Enigma Ransomware from your operating system.

AES stands for “Advanced Encryption Standard,” and it is used by Enigma Ransomware to encrypt your personal files. The files encrypted by this infection are not difficult to identify because of the “.enigma” extension attached to them. This threat is likely to target your personal files, which it can determine by their file types. All photos, videos, other kinds of media files, documents, PDFs, text files, and other sensitive, hard-to-replace files will be encrypted by this malicious ransomware. Immediately after this, the infection will execute the enigma.hta file to showcase a notification that includes all of the demands. Needless to say, these demands are represented in Russian. The notification includes a Wikipedia page regarding the AES encryption algorithm, so that the victim would learn more about it. Needless to say, regular computer users will be overwhelmed by the information provided on this page, and this is exactly what the creator of this ransomware wants. The more confused users are, the more likely they are to simply follow the demand of paying a ransom. Here is an excerpt from the ransomware note.

Зашифрованные файлы имеют расширение .ENIGMA .
Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.
Если хотите получить файлы обратно:
1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://[...].onion в тор-браузере и авторизуйтесь с помощью ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор
Если основной сайт будет недоступен попробуйте http://ohj63tmbsod42v3d.onion/

If you follow the demands and download the Tor browser and visit the website you are requested to visit, you will need to register with an RSA key that is in this format: ENIGMA_[ID].RSA. After this, you will be introduced to the amount of Bitcoins you need to pay in order to retrieve a decryption tool. It is likely that the ransom will be different for every user, but you can expect it to start at 0.4 BTC, which is around 180 USD. The problem is that paying this huge ransom does not provide a guaranteed way out of this mess. Some users report that their files remain locked even after paying the ransom, which is why you have to be careful when making the decision to pay the ransom. If you do not want to waste your money for no good reason, you should seek out other ways to restore your files first. Unfortunately, at the moment, tools that could decrypt the files encrypted by Enigma Ransomware do not seem to exist, which means that you have two options – to succumb to the demands of cyber criminals or to ignore them and lose your files.

Even if you delete Enigma Ransomware from your operating system, your files will remain encrypted. Of course, that does not mean that you can ignore this infection. Whether you manage to decrypt your files yourself or by paying the ransom, or you lose them, this malicious threat might target new files, and it might open security backdoors. We have seen plenty of malicious ransomware infections that were downloaded by clandestine Trojans, and there are no guarantees that additional malware does not exist on your own computer. If you choose to follow the steps shown below, make sure you also scan your operating system to see which other threats you need to delete. Of course, we recommend implementing anti-malware software to have these threats (including the ransomware) erased automatically. If this is the option you choose, install a trustworthy anti-malware tool and let it erase all active infections. Should you have any more questions for us, you can post them in the comments box below.

Enigma Ransomware Removal

1. Launch Explorer by tapping Win+E keys on the keyboard.
2. Enter %Temp% into the address bar.
3. Right-click and Delete the file called testttt.txt.
4. Enter %AppData% into the address bar.
5. Right-click and Delete the file called testStart.txt.
6. Enter %UserProfile%\Desktop\ into the address bar.
7. Right-click and Delete these files:
   • allfilefinds.dat
   • enigma.hta
   • ENIGMA_807.RSA
   • enigma_encr.txt
8. Enter %UserProfile%\Downloads\ into the address bar.
9. Right-click and Delete the .exe file with an MD5-type name (combo of letters and numbers).
10. Launch RUN by tapping Win+R keys on the keyboard.
11. Enter regedit.exe into the dialog box and click OK.
12. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\.
13. Right-click and Delete the values called MyProgram and MyProgramOk.