Enigma virus was detected at the end of April 2016. It is obvious that it uses a name similar to a well-known software developer called Enigma Software. However, we would like to add some clarity and warn you that the company and its virus remover SpyHunter is NOT related to Enigma ransomware in any way. Most probably, the name of this virus was selected according to a first cryptographic machine called “Enigma machine.” However, there is no guarantee that people behind Enigma ransomware are not seeking to manipulate the name of the reputable anti-spyware maker and discredit its product. If you are infected with this cyber threat, you can always rely on FortectIntego and use it for malicious files’ removal.
How does Enigma virus operate?
Enigma virus, which falls into ransomware category, seems to be hostile to the Russian-speaking computer users. Once installed on the computer system, it checks what is the default language of the computer. If it is Russian, Enigma malware starts its activities right away. If it’s not, it simply terminates itself. Once it determines that the computer user speaks Russian language, it starts scanning the entire computer system and searches for audio, video files, images, documents, and basically all types of victim’s files. Then it encrypts them using AES crypto-algorithm. Once it encrypts a file, it also adds .enigma extension to the filename. In the beginning of October 2016, new versions of Enigma virus has been spotted, and these add a different file extension to encrypted files – .1txt file extension. Once Enigma ransomware finishes with the encryption process, it launches enigma.hta file, which opens up in Internet Explorer. This file is the so-called ransom note, which informs the user about what has happened to the computer and what needs to be done in order to recover the encrypted data.
The ransom note is written in the Russian language, and it instructs the victim to install the Tor Browser, enter a particular website and upload .RSA file that came with the virus. When the victim uploads this file, he enters an Internet site that introduces him/her with the cost of the decryption key that is required for data decryption. An interesting fact is that Enigma virus provides a chat box to speak with the cyber criminals directly. However, no matter how valuable your files are, do not rush to pay the ransom (crooks ask for 0.4273 BTC, which is approximately 200 USD).
The developers of this malware have left a flaw in this virus – if the user has enabled Windows UAC on the computer, the virus will show a “User Account Control” prompt, which gives the user two options – either agree or disagree on allowing the “following program” make changes on the computer. In case the victim clicks No, the virus encrypts files but leaves Volume Shadow Copies untouched, and these copies can be used for data recovery. Therefore, if you have clicked “No,” all you need to do now is to remove Enigma ransomware. If you are not a skillful computer user, we do not recommend you to deal with this virus on your own. You can quickly eliminate this virus with a help of anti-malware software like FortectIntego.
How did Enigma ransomware infect your computer?
Ransomware viruses mostly spread via spam emails. Cyber criminals usually send mass emails including malicious attachments, so we advise you to stay away from emails that are sent by people you do not know in person. If you open such malicious email attachment, Enigma virus will be immediately installed on your computer system. We have discovered that Enigma ransomware arrives in a form of HTML document, which, once the victim opens it, launches in default Internet browser and executes a JavaScript file. Then it drops Свидетельство о регистрации частного предприятия.js file on victim’s computer system and asks the victim to open it. If the victim opens this file, the malware starts the encryption process. However, downloading malicious email attachments is not the only way to infect your PC with Enigma ransomware. Crooks also spread this virus via malvertising, so you should stay away from untrustworthy download websites, and especially from suspicious pop-up ads that suggest you to update Adobe Flash Player, Adobe Acrobat or other well-known programs. These bogus updates usually include malicious attachments. If your computer has been affected by Enigma malware already, do not waste any time and eliminate it. To find out how to remove this virus and recover your files, follow Enigma removal guide (given below).
UPDATED on October 11: It seems that scammers use even more advanced techniques to distribute ransomware, and in this case, it has been spotted that such malicious software can be dropped on the computer after one of the most infamous adware-type programs installs it. Adware programs suspected for malware distribution are these: OpenCandy and Dealphy.
Uninstall Enigma ransomware and decrypt your files
As we have mentioned on page 1, you can delete Enigma virus with an automatic malware removal software (for instance, FortectIntego). For users who do not want to obtain a malware removal tool, we have prepared a manual Enigma removal tutorial. You can find it below this article. Make sure you completely remove this computer infection before you attempt to recover your files using Volume Shadow Copies.
Was this guide helpful?
4 comments