LIGMA.exe is a malicious executable used by LIGMA ransomware
LIGMA.exe — is an executable file responsible for initiating the malicious processes on the LIGMA ransomware infected device. File locking malware is known to encrypt personal data on the system, and for this process to work, virus drops multiple files, such as LIGMA.exe, Payloads.dll, work.bat, mbr.bin, into C:\WinWOW32. Then, the encryption process affects data on the system, including documents, photos, videos or even archives. This particular ransomware that uses AES-256 encryption method and marks encoded files with .ForgiveMe file extension was discovered in September 2018. The virus operates a bit differently than typical ransomware because there is no possibility to pay the ransom and get your files decrypted. Ligma is a ransomware-wiper virus.
|Responsible for||Launching the virus|
|Danger level||Encrypts files on the device|
|Distribution||With ransomware via spam email attachments|
|Elimination||Use Reimage and clean your system|
The ligma.exe virus often called like that because the ransomware related to the executable file causes various damage on the device including data-locking and changes on the registry. Ransomware changes Windows registry keys in order to start automatically each time the computer turned on.
When the ligma.exe file is launched it starts the following actions:
- scans the device to read the name, location, and language of the computer system;
- modifies registry keys/adds new ones;
- deletes shadow volume copies.
If your device is infected with LIGMA ransomware, your screen gets locked with the ransom message displayed before you. This ransom note is not typical and not demanding for a ransom since this virus is designed to wipe clean your device.
The black lock screen displays the following:
YOUR PC LIGMA BALLS xD
This PC is dead because you did n't follow the rules.
Your PC will never work again.
NOTE: Even if you fix the MBR your Your PC Is Dead.
Entire Registry is Fucked and your files are infected.
LIGMA ransomware is designed for Windows 7 supporting PCs and according to the analysis, the main ransomware file and this executable can be detected as malicious by antivirus programs.
Because of this fact, you need to perform LIGMA.exe removal using your antivirus and clean the remaining virus damage with anti-malware tools like Reimage. You should scan your device with this program to remove malicioius files and programs entirely off of your device.
Unfortunately, your data is not going to be decrypted, but if you remove LIGMA.exe properly, you can try various methods of data recovery. It can be done using Windows Previous Versions feature or ShadowExplorer if the Shadow Volume Copies remain untouched.
Ransomware payload is hidden in files attached to spam emails
Malware researchers advise users to pay more attention to what they are clicking on, including questionable emails. Spam box is filled with commercial content and emails from companies, services. However, phishing email campaigns can be more luring. Emails with malicious attachments can often be confused with legitimate ones, as crooks try to imitate high-profile organizations and companies, such as Amazon, UPS, FedEx, various banks, tax offices, etc.
Malicious emails contain invoices, receipts or other important-looking documents which are infected with the malicious script. If you are not paying attention to details like typos, grammar mistakes or not common senders' name you may get dangerous malware installed on your device immediately when you download and open this infected file.
Terminate LIGMA.exe and clean your system from virus damage
To remove LIGMA.exe, you need to enter the Safe Mode with Networking and use your antivirus program. For further system cleaning employ professional anti-malware tools like Reimage, SpyHunterCombo Cleaner, Malwarebytes Malwarebytes. When you delete the ransomware virus, all these malicious files get eliminated too, and your system can be safe again.
Automatic LIGMA.exe removal is the best solution because eliminating a sophisticated virus manually is almost impossible. After this process, you can try to replace encoded data from a backup or use data recovery tools and features to restore them on the device.