How to decrypt enigma. A ransomware virus - what is it, why is it dangerous. Quiz: What file extension is the type of bitmap

Select Department "K" of the Ministry of Internal Affairs of Russia and submit an online application.
See also articles of the Criminal Code of the Russian Federation:
art. 272 "Illegal access to computer information"
art. 273 "Creation, use and distribution of malicious computer programs"

Ransomware information

The following files are created during the encryption process:

% Temp% \\ testttt.txt - Debug file to resolve the issue with the handle and create the ransomware executable file.

% AppData% \\ testStart.txt - Debug file showing that encryption started and was successful.

% UserProfile% \\ Desktop \\ allfilefinds.dat - List of encrypted files.

% UserProfile% \\ Desktop \\ enigma.hta - Windows startup file used to display the ransom note.

% UserProfile% \\ Desktop \\ ENIGMA_.RSA - A unique key associated with the victim's PC to enter the payment site.

% UserProfile% \\ Desktop \\ enigma_encr.txt - The text of the ransom note.

% UserProfile% \\ Downloads \\.exe - Ransomware executable file.

To pay the ransom, you need to open a special TOR site created by the ransomware developers. Its address is in the ransom note and requires the download of the ENIGMA_.RSA file to enter the payment system.

Upon entering the system, the victim will see how many bitcoins need to be sent as a ransom, as well as the recipient's Bitcoin address. This site offers the victim to decrypt one file for free to prove that decryption is indeed possible.

List of file extensions subject to file encryption:
.1cd, .2d, .3dc, .7z, .aes, .asm, .asp, .asp, .aspx, .avi, .bat, .bmp, .bz, .bz2, .bza, .bzip, .bzip2 , .cad, .cd, .cdr, .cmd, .cpp, .crt, .csr, .csv, .czip, .dat, .dbf, .dif, .djv, .djvu, .doc, .docb,. docm, .docx, .dwg, .fla, .gif, .gz, .gz, .gz2, .gza, .gzi, .gzip, .hdoc, .html, .hwp, .java, .jpeg, .jpg, .key, .kwm, .lzma, .max, .mdb, .mdb, .mkv, .mml, .mov, .mpeg, .mpg, .MYD, .MYI, .odg, .odp, .ods, .odt , .odt, .otg, .otp, .ots, .ott, .pas, .pem, .php, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm,. ppsx, .ppt, .ppt, .pptm, .pptx, .pptx, .psd, .rar, .rtf, .rtf, .slk, .sln, .sql, .sqlite, .sqlite, .sqlite3, .sqlitedb, .sqx, .sqz, .srep, .stc, .std, .sti, .stw, .swf, .sxc, .sxi, .sxm, .sxw, .tar, .taz, .tbk, .tbz, .tbz2 , .tg, .tgz, .tif, .tiff, .tlz, .tlzma, .tsk, .tx_, .txt, .txz, .tz, .uc2, .uot, .vbs, .vdi, .wks,. wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlsx, .xlt, .xltm, .xltx, .xlw, .xz, .zi, .zip, .zip, .zipx, .zix (151 extension).

List of file extensions subject to file deletion:
.aba, .abf, .abk, .acp, .as4, .asd, .ashbak, .asvx, .ate, .ati, .bac, .bak, .bak, .bak ~, .bak2, .bak3,. bakx, .bbb, .bbz, .bck, .bckp, .bcm, .bk1, .bk1, .bkc, .bkf, .bkp, .bks, .blend1, .blend2, .bm3, .bpa, .bpb .bpm, .bpn, .bps, .bup, .bup, .cbk, .cbu, .ck9, .crds, .da0, .dash, .dba, .dbk, .diy, .dna, .dov, .fbc , .fbf, .fbk, .fbk, .fbu, .fbw, .fh, .fhf, .flka, .flkb, .fpsx, .ftmb, .ful, .fza, .gb1, .gb2, .gbp,. gho, .ghs, .icf, .ipd, .iv2i, .jbk, .jdc, .kb2, .lcb, .llx, .mbk, .mbw, .mddata, .mdinfo, .mem, .mig, .mpb, .mv_, .nb7, .nba, .nbak, .nbd, .nbd, .nbf, .nbf, .nbi, .nbk, .nbs, .nbu, .nco, .nfb, .nfc, .npf, .nps , .nrbak, .nrs, .nwbak, .obk, .oeb, .old, .onepkg, .ori, .orig, .paq, .pbb, .pbj, .qba, .qbb, .qbk, .qbm,. qbmb, .qbmd, .qbx, .qic, .qsf, .rbc, .rbf, .rbk, .rbs, .rdb, .rgmb, .rmbak, .rrr, .sbb, .sbs, .sbu, .skb, .sn1, .sn2, .sna, .sns, .spf, .spg, .spi, .srr, .stg, .sv $, .sv2i, .tbk, .tdb, .tig, .tis, .tlg,. tlg, .tmr, .trn, .ttbk, .uci, .v2i, .vbk, .vbm, .vpcbackup, .vr b, .wbb, .wbcat, .win, .win, .wjf, .wpb, .wspak, .xlk, .yrcbck (168 extensions).

Ransomware programs often have targeted areas and target audiences, but sometimes you can get infected even if you are not part of the target group. For instance Enigma Ransomware (also known as EnigmaRansomware) mainly trying to infect Russian-speaking computer users based in Russia and other countries, but this does not mean that it is not possible to catch this infection anyplace else. The main thing is that it is important to remove the program from the affected computer, because it brings nothing but chaos. You will find uninstallation guides at the bottom of this article. You should also consider purchasing a licensed anti-spyware tool to ensure that ransomware removal goes smoothly.

Where does Enigma Ransomware come from?

Usually this infection is spread through spam emails that carry malware. HTML attachments. Therefore, the first step in preventing this program from entering your system would be to avoid and ignore messages from unknown senders.

Opening. The HTML attachment carried by Enigma Ransomware runs JavaScript. This script connects to the internet behind your back and downloads the .exe file. After starting the file, file encryption begins.

It is not possible to tell who exactly created this infection, and we still do not have enough data to prove whether it is related to any of the applications previously released by the ransomware. Enigma Ransomware seems to have features that are not common to other similar applications, and even when we see how this program behaves, it is clear that it follows the pattern of the main ransomware.

What does Enigma Ransomware do?

Like many other ransomware applications, this program encrypts your files. As mentioned, file encryption begins when malicious JavaScript downloads and executes the .exe file. This happens behind your back and you will only know that your system has been compromised when you see a ransom notification on the screen.

Use WiperSoft Malware Removal Tool only for detection purposes. and.

The notification will be submitted in Russian. It will say that if you want your files back, you need to install Tor Browser and then use it to access the site that is given in the notification. Tor Browser is commonly used by ransomware programs to communicate between its servers and infected users.

Please note that there are at least two addresses provided in the notice. He says that if you are unable to access the first address, you should try the secondary one. This means that the connection to servers operated by cyber criminals is shaky and it wouldn't be surprising if you weren't able to get it at all. Thus, it is highly doubtful whether you will be able to obtain the decryption key even if you were to pay the ransom.

Unlike most programs of this profile, Enigma Ransomware does not give you a limited time for translation. Thus, it does not threaten to destroy your files. Yata € ™ s more, it is also very likely that the application does not delete all shadow copies of the volume. Different reports claim different results, but if shadow copies of the volume are actually preserved after infection, then it would be possible to recover the files with the help of an experienced technician, even without an actual backup!

How to remove Enigma Ransomware?

First of all, you need to remove this virus from your computer. Do not try to connect any backup device while the program is still running on your computer because this may affect removable drivers as well. Follow the instructions provided below to carefully remove all files associated with this infection.

Use WiperSoft Malware Removal Tool only for detection purposes. and.

Please note that deleting files and registry entries may not be sufficient to complete the actual infection. Not to mention that there may be more unwanted applications running on your computer. Therefore, you should scan your computer with a free SpyHunter scanner to determine which applications and files should be removed immediately.

Automatic malware removal is really effective, especially if you are not a computer savvy user. In addition, by purchasing a powerful anti-spyware tool, you will protect your computer from similar infections in the future. Just remember that your web browsing habits are also important, so be careful when you come across unfamiliar links, messages, and other unknown content.

Manual Enigma Ransomware removal

1. Click Win + R and enter % Temp% in the Open box.
2. Click oK button and delete the file testttt.txt from the catalog.
3. Open again execute and enter % AppData%... Click oK button.
4. Delete the file testSTart.txt from the catalog.
5. Open your Desktop and delete the following files: allfilefinds.dat, enigma.hta, ENIGMA_807.RSA and enigma_encr.txt.
6. Press again Win + R and enter regedit in field Open ... Click Enter.
7. Switch to HKEY_CURRENT_USERSoftware Windows CurrentVersionRun.
8. On right panels, right click and remove the values MyProgram and MyProgramOK.
9. Exit registry editor and navigate to the folder downloads .
10. To find .exe file named random 32-character and Delete him.

100% free spyware scan and tested Enigma Ransomware removal

Step 1: Remove Enigma Ransomware related programs from your computer

By following the first part of the instructions, you will be able to track and completely get rid of intruders and disturbances:

1. To complete Enigma Ransomware applications from the system, use the instructions that suit you:

• Windows XP / Vista / 7:Select button Start and then go to Control Panel .

• Windows 8: Moved the mouse cursor to the right side, edge. Please select Search and start searching " Control Panel". Another way to get there is to right click on hot corner left (just, start button) and go to Control Panel choice.

How do you get to Control Panel then find the section programs and select Removing a program ... In case the control panel has Classicalkind, you need to press twice on programs and components .

When programs and functions/uninstall program Windows appears, Take a look at the list, find and remove one or all of the programs found:

• Enigma Ransomware; HD is just a plus; RemoveThaeAdAopp; UTUobEAdaBlock; SafeSaver; SupTab;
• ValueApps; Lollipop; Updating the software version; DP1815; Video player; Convert files for free;
• Plus HD 1.3; BetterSurf; Trusted web; PassShow; LyricsBuddy-1; ;
• Media Player 1.1; Saving the bull; Feven Pro 1.1; Websteroids; Saving the bull; 3.5 HD-Plus; Re-markit.

Also, you should uninstall any application that was installed a short time ago. To find these recently installed applcations, click on Installed on section and here investigation programs based on dates have been established. Better take a look at this list again and remove any unfamiliar programs.

Use WiperSoft Malware Removal Tool only for detection purposes. and.

It may also happen that you cannot find any of the above listed programs that you advised to uninstall. If you understand that you do not recognize any untrustworthy and invisible program, follow the next steps in this uninstallation guide.

Step 2: Remove Enigma Ransomware pop-ups from browsers: Internet Explorer, Firefox and Google Chrome

Remove Enigma Ransomware pop-ups from Internet Explorer

Based on the advice provided, you can have your browsres return to normal. Here are tips for Internet Explorer:

Eliminate Enigma Ransomware pop-up ads from Mozilla Firefox

If the Mozilla Furefox browser on your system is somehow broken due to entry viruses, you must restrore it. Restoring in other words means resetting the browser to its original state. Don't be worried about how your personal browser choices will be secure, such as history, bookmarks, passwords, etc.

Important: how to restore the browser was carried out, be informed that the old Firefox profile will be saved in the folder old Firefox data located on the desktop of your system. You may need this folder, or you can simply delete it as it owns your personal data. In case the reset was not successful, have your important files copied back from the specified folder.

Remove Enigma Ransomware Pop-ups from Google Chrome

1. Find and click on chrome menu button (browser toolbar) and then select tools ... Continue with extensions .

1. In this tab you can delele any unfamiliar plugins by clicking on the trash can icon. The main thing is to have all or one of these programs removed: Enigma Ransomware, HD-only-plus, SafeSaver, DP1815, video player, convert files for free, plus-HD 1.3, BetterSurf, Media Player 1.1, PassShow, LyricsBuddy-1, Yupdate4.flashplayes.info 1.2, Media Player 1.1, Bull savings, Feven Pro 1.1, Websteroids, savings bull, HD-Plus 3.5.

* WiperSoft scanner, published on this site, is intended to be used only as a detection tool. ... To use the removal functionality, you will need to purchase the full version of WiperSoft. If you wish to uninstall WiperSoft,.

Ransomware ransomwareEnigma Ransomware: Target - Russian-speaking users

The new Enigma Ransomware malware encrypts data using the AES-128 algorithm and then requires 0.4291 BTC (approximately $ 200 USD) to return the files back. The extortionate note is written in Russian and the ransom payment site page has a Russian-language interface. It is noteworthy that this ransomware, although it should, but does not always delete volumes of shadow copies of files, so the victim can use them to restore their files.

Fig. 1. Russian language ransom note

Enigma Ransomware spreads via HTML attachmentscontaining everything you need to create an executable file, save it to your hard disk, and then run it for execution. Opening the HTML attachment will launch a browser and execute inline JavaScript, which will generate a stand-alone file called Private Enterprise Registration Certificate.js.

After entering the system, the victim will see how many bitcoins need to be sent as a ransom, as well as the recipient's Bitcoin address. This site offers the victim to decrypt one file for free to prove that decryption is indeed possible.

There is also a mini-support chat here, through which the victim can talk to the malware developers. After payment is received, a link to download the decoder will be shown.

Files Related to Enigma Ransomware:
% Temp% \\ testttt.txt
% AppData% \\ testStart.txt
% UserProfile% \\ Desktop \\ allfilefinds.dat
% UserProfile% \\ Desktop \\ enigma.hta
% UserProfile% \\ Desktop \\ ENIGMA_807.RSA
% UserProfile% \\ Desktop \\ enigma_encr.txt
% UserProfile% \\ Downloads \\.exe

Registry entries associated with Enigma Ransomware:
HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run \\ MyProgram.exe
HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run \\ MyProgramOk% UserProfile% \\ Desktop \\ enigma.hta

The other day I happened to get acquainted with another kind of viral muck, which leads to the loss of all useful user data. We are talking about a ransomware virus that is sent by mail, encrypts files of different formats and puts the .enigma extension. I will tell you about how it works and how to deal with such viruses.

Guaranteed file decryption after ransomware virus - dr.shifro.ru... The details of the work and the scheme of interaction with the customer are below in the article in the corresponding section under number 7 in the Contents.

Description of enigma ransomware virus

This virus is very similar to the one I already described -. Into the technical details of the new virus enigma I did not delve into it, but outwardly for the user everything looks about the same.

It all starts with the fact that you receive a letter in the mail. In my case, the content was as follows:

My mom bought a product from you 5 years ago
Your desk has counted us!
Please, sort out the purchase information again. Waiting for an answer

The sender is a box on mail.ru, and a real one.

In the letter attachment invoice.html... It is a html page. If you open it in a browser, you will see the following content:

purchase_account.doc is a hyperlink that "downloads" the virus. In reality, it is not downloaded, it is already on your computer, but you need to run it. It has not been launched yet. If you click on this link, then you are offered to "download" the zip file purchase_account.zip... It contains the file purchase_account (text document printout) .js, it is itself a virus. Only after launching it will you start the file encryption process.

The first window will pop up:

And then the second:

These are deceptive messages, in order to see the following window:

You clicked Yes when prompted by the User Account Control warning:

In fact, if you agree to execute the command here, you will lose all your shadow copies and will not be able to recover the data. If you have disabled UAC, then the virus will automatically delete shadow copies and data recovery using them will become impossible.

After several requests from UAC, they will stop. At this time, the virus has already encrypted all your data, which it considers useful. In my case, these were all microsoft office formats (xlsx, docx, etc.), pdf files, images of various formats, archives.

In my case, the virus did not pass through the network folders. I don’t know for some reason, either he doesn’t know how, or he did not have time. As soon as a virus was noticed on the computer, it was immediately turned off.

Upon completion of file encryption, you will receive a message similar to the following:

We have encrypted important files on your computer: documents, databases, photos, videos, keys.
The files are encrypted with the AES 128 algorithm (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know.
Encrypted files have the extension .ENIGMA. It is IMPOSSIBLE to decrypt files without a private key.

If you want to get the files back:

1) Install Tor Browser https://www.torproject.org/
2) Find on the desktop the key to access the ENIGMA_ website (your key number) .RSA
3) Go to the site http://f6lohswy737xq34e.onion in the tor browser and log in with ENIGMA_ (your key number) .RSA
4) Follow the instructions on the website and download the decryptor

C: \\ Users \\ user \\ Desktop \\ ENIGMA_338.RSA - Path to the key file on the desktop
C: \\ Users \\ user \\ AppData \\ Local \\ Temp \\ ENIGMA_338.RSA - Path to the key file in the TMP folder

This message is expanded to full screen with no option to close without the task manager:

2 files appear on the desktop:

• ENIGMA_338.RSA
• enigma_encr.html

The first is a certain key by which you can enter the site of the attackers, based on which they will give you a decryption key. The second file is a copy of the informational message above.

Here is a description of how the new enigma ransomware virus works. If someone told me that people themselves do all the operations described above, I would not have believed it if I had not observed it myself. The secretary received a letter and she performed the entire sequence of the described actions. As a result, all her files on her computer were encrypted. Antivirus Kaspersky did not help with fresh databases on the day of infection. Then I manually scanned all the files that are related to this virus, the antivirus did not find anything suspicious in any of them. The question is, what is the point in them. In my previous meeting with the vault ransomware, there was a licensed current nod32 on the computers, but it did not help either. After these two cases, I generally consider modern antiviruses useless. They do not provide protection against modern threats.

Users had antiviruses enabled with the latest databases, but this did not save them in the least from the complete loss of all their information. I, of course, understand that they themselves are to blame for launching viruses. Nevertheless, this is fairly typical behavior for a large group of users. Why it is impossible to display at least a warning from the antivirus that you have started the file encryption process, I do not understand.

The virus puts the enigma extension on doc, jpg, xls and other files

The enigma ransomware virus worked for us and encrypted all documents and pictures of various formats. All files now have the .enigma extension. Just in case, I tried to remove the enigma extension manually to the standard one, in the hope that this is some kind of fake for a real ransomware. I had this hope because of the complete lack of response from the antivirus. But expectations were not met. Changing the extension did not lead to anything, the file did not open. Apparently it is indeed encrypted using AES-RSA.

After the virus encrypts all files and displays a notification about its work, encryption will stop. All new files created after this will not be encrypted. At least in the version of the virus that came to me. I checked this on purpose by creating new files and rebooting. The new files remained intact. The virus deletes the exe file after finishing its work. If you don't run the ransomware again, new files will not be damaged.

How to remove enigma virus and cure your computer

What to do if the enigma virus is already on your computer? The enigma ransomware is not very intrusive and is not difficult to remove. To cure the computer, it is enough to remove the remnants of the virus and clean the startup so that the message does not pop up. Specifically, my modification of the virus created in the folder C: \\ Users \\ user \\ AppData \\ Local \\ Temp multiple files:

• enigma.hta
• ENIGMA_338.RSA (decryption access key)
• enigma_encr.html (informational message)
• falcon9.falcon
• workstatistic.dat

There was also an executable file 6afee960284667dab3f5430f708f58ce.exe, the virus itself cleans up after completion of work. RSA and html files were additionally copied to the user's desktop.

To start the message when the computer boots up and to continue encryption if it has not been completed, use the registry entries in the autorun branch:

HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run

2 keys are created:

"adfaccaffdcad" \u003d "\\" C: \\\\ Users \\\\ user \\\\ AppData \\\\ Local \\\\ Temp \\\\.exe \\ "" "adfaccaffdcadba" \u003d "\\" C: \\\\ Users \\\\ user \\\\ AppData \\\\ Local \\\\ Temp \\\\ enigma.hta \\ ""

They need to be removed along with the above files. This is enough to cure the computer and completely remove the enigma virus.

How to recover and decrypt files after enigma virus

What to do to recover encrypted files? I searched the internet for information about this virus. There are references, but not many. Most likely this modification is not very popular, but it still occurs. When I first encountered the enigma virus, there was no information on the Internet about the successful decryption of files or about the existence of the enigma decryptor.

When I sat down to write this article, I checked the internet again. Fresh records appeared on the esetnod32 forum that technical support can provide a decoder: “Technical support sent a decoder, deciphered everything !!! Thanks. "

You can try to buy this antivirus and write to technical support with a request to decrypt files with the .enigma extension. But it's not a fact that this will help you specifically in your case. Now there are so many of these ransomware with the same names that it is impossible to guarantee decryption.

You cannot decrypt the files on your own. Only backup copies made either manually or automatically using windows shadow copies can come to the rescue. You can find out if your shadow copies are enabled in the computer properties, in the "System protection" section.

If your protection is enabled, then you can try to manually restore the file with the .enigma extension. To do this, you need to change the file extension yourself by removing the .enigma prefix from it. If this is not done, the system will consider that this is a completely different file and will not offer its previous versions, although in reality they will exist. Change the file extension yourself, select the file and right-click on it, choosing the last item "properties". Next, select the "Previous versions" tab

If the file has previous versions, then select the latest and restore.

You have no other options to restore files if you have not made backups to another computer, external drive or flash drive. An extreme option is to contact the attackers for decryption. Most often they give a really working decryptor, I know of several such examples. Whether to use it or not is up to you, depending on the degree of importance of the encrypted files.

Kaspersky, drweb and other antiviruses in the fight against enigma ransomware

What do modern antiviruses offer in the fight against the enigma ransomware virus? All antiviruses have standard recommendations - if you have a licensed version of the program, then you can contact technical support and wait for a response. At the time of this writing, I only saw information from the eset nod32 antivirus that they can decrypt files.

Judging by the dates, this is the same virus as mine.

On the Kaspersky forum, I did not find information about enigma, except for one topic in the English-language section. There was nothing useful and meaningful there. You can create a request to decrypt files, the link describes in detail how to do this.

Where else to go for guaranteed decryption

I happened to meet one company that actually decrypts data after the work of various ransomware viruses, including enigma. Their address is http://www.dr-shifro.ru. Payment only after complete decryption and your verification. Here's an example of how it works:

1. A company specialist drives up to your office or home and signs a contract with you, in which he fixes the cost of the work.
2. Launches the decryptor and decrypts all files.
3. You make sure that all files are open, and you sign the delivery / acceptance certificate of the work performed.
4. Payment solely upon successful decryption result.

More about the scheme of work- http://www.dr-shifro.ru/11_blog-details.html
To be honest, I don't know how they do it, but you are not risking anything. Payment only after demonstration of the decoder operation. Please write a review about your experience with this company.

Methods for protecting against enigma virus

I would not recommend anything new or original in protecting against ransomware viruses. Enigma is not fundamentally different from all other ransomware that attack Internet users like an avalanche. All examples of ransomware that I have seen infiltrated the user's computer via mail and the user started the encryption himself.

The main recommendation for protecting against ransomware viruses is to carefully look at the letters you receive by e-mail. Don't run dubious attachments. The encryptors are perfectly visible, they differ from ordinary documents, you just need to look more closely.

Be sure to back up important information and do not store those copies on the same computer you are using. Get a separate USB flash drive and external hard drive for this and periodically connect them to your computer, copy information and disconnect. It is necessary to disconnect it !!! I know of an example when a flash drive was used for backup, which was stuck into the computer during working hours. the virus encrypted all documents on the computer and on the USB stick !!!