Enigma Ransomware
Posted: May 10, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 7,844 |
| First Seen: | May 11, 2016 |
|---|---|
| Last Seen: | November 24, 2021 |
| OS(es) Affected: | Windows |
The Enigma Ransomware is a Trojan that tricks its victims into installing it through JavaScript, and then encrypts their files, such as documents or images. After the encryption process, the Enigma Ransomware loads a ransom message asking for Bitcoin money for the safe return of the data, although malware experts still note the likely viability of free data-restoring techniques. After identifying the symptoms of this threat, a victim should uninstall the Enigma Ransomware with their anti-malware software, and then conduct any appropriate backup restoration actions.
The Shallow Mystery Behind a New Russian Trojan
The Enigma Ransomware (most likely borrowing its naming conventions from 'the Enigma' rotor cipher machines of the early twentieth century) is a file encryptor with a payload very similar to other ransom-based malware campaigns. However, the Enigma Ransomware also includes some unusual choices in structure most likely implemented for ease of use on the part of the malware developer. While not being a sophisticated threat of its category, the Enigma Ransomware does include basic region-filtering options, and currently only finishes its full payload on PCs located in Russia.
That payload includes scanning available hard drives for non-system files, which the Enigma Ransomware encodes with an AES encryption algorithm. Just as with most file encryptors seen in malware experts' analyses, the Enigma Ransomware also tags the affected content with an identifying text string ('.the Enigma'). As per usual, victims can't open the encrypted content, but the threat's automatically-loaded ransom message includes 'proof' of its decryption capabilities while trying to sell its full decryption services via Bitcoin payments.
The Enigma Ransomware uses a relatively in-depth ransom format based on HTA (a program built from HTML). The ease of use and its unambitious cash demand (roughly 200 dollars) may convince some victims to pay the Enigma Ransomware's fee upfront, although doing so would be a costly mistake with no certainty of data recovery.
The Solution to an Enigma that will not Cost You a Thing
While examining the Enigma Ransomware, malware experts saw some noteworthy limitations and inconsistencies that indicate its likely creation by an inexperienced developer. Although the Enigma Ransomware uses file attachments for installing itself, they require being launched by the victim manually. The Enigma Ransomware's Trojan droppers also utilize JavaScript, which you may block by default as a simple security measure.
Far more damningly than that, the Enigma Ransomware also shows potential for having a buggy payload that does not always delete any local backup data. Windows users may find success in restoring encrypted content from their Shadow Volume Copies. Since this solution is not always available, and other threats tend to account for it, malware experts continue recommending non-local backup defenses against file encryption attacks, such as a cloud storage service.
The Enigma Ransomware is a limited-scope threat whose executable is created dynamically when its JavaScript launches. Although good anti-malware programs should have no issues with removing the Enigma Ransomware, not opening it at all is a safer course of action for the contents of your computer. Until this campaign spreads to other regions, Russian-speaking PC users should take the greatest precautions against the Enigma Ransomware's known infection vectors: HTML file attachments that aren't what they say they are.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13639 bytes)
MD5: 8abb764072580caad67085ef2c4fb4a9
Detection count: 3,366
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13635 bytes)
MD5: 07a76a8680b8808be73cd7022281c8bb
Detection count: 712
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.62 KB (13623 bytes)
MD5: e585f947d71d447687511180879d7a51
Detection count: 703
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%TEMP%\enigma.hta
File name: enigma.htaSize: 3.52 KB (3520 bytes)
MD5: 83fe6340c1ba2df0763ff586ea0f078e
Detection count: 379
Mime Type: unknown/hta
Path: %TEMP%
Group: Malware file
Last Updated: April 28, 2017
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13633 bytes)
MD5: 98fd00612916c2e33a642ba205e34a7b
Detection count: 309
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13633 bytes)
MD5: 0b9fde0b4c2c9f830140055fb38d800b
Detection count: 307
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13635 bytes)
MD5: 9831132083f2ee030af1d98b9c14f154
Detection count: 246
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: November 24, 2021
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13639 bytes)
MD5: 5ab602dabd31d41dcc73f8aa6d03e93f
Detection count: 192
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.61 KB (13617 bytes)
MD5: 1056d034a70bf36662e7c650109b90ba
Detection count: 148
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%APPDATA%\Info.hta
File name: Info.htaSize: 13.63 KB (13637 bytes)
MD5: 242857b841c36464078f93af40399c57
Detection count: 148
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: December 29, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13635 bytes)
MD5: 83dcb8080a188b89a888a40f1fcd6a4b
Detection count: 77
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13637 bytes)
MD5: 62c420c70071c316b61a920f3db27752
Detection count: 54
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.64 KB (13645 bytes)
MD5: f66247bf5c7f9ad62b5368ed5313805b
Detection count: 49
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%TEMP%\enigma.hta
File name: enigma.htaSize: 3.5 KB (3507 bytes)
MD5: 49834055020adf056f86bd6b786bc698
Detection count: 44
Mime Type: unknown/hta
Path: %TEMP%
Group: Malware file
Last Updated: April 28, 2017
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.64 KB (13647 bytes)
MD5: 71132bd628fc3b1cf3eac606730f3d4a
Detection count: 40
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%TEMP%\enigma.hta
File name: enigma.htaSize: 3.51 KB (3513 bytes)
MD5: cafe36615aaff4c3ef741567c1c3a567
Detection count: 28
Mime Type: unknown/hta
Path: %TEMP%
Group: Malware file
Last Updated: April 28, 2017
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.63 KB (13633 bytes)
MD5: 6db61e8081ea89a3a8eade528252e4a2
Detection count: 21
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.62 KB (13629 bytes)
MD5: 32d637476a64a2e440d1269185f3e673
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016
%TEMP%\enigma.hta
File name: enigma.htaSize: 3.51 KB (3515 bytes)
MD5: a69798cb9a41ea7fe7833d90a55c6c70
Detection count: 14
Mime Type: unknown/hta
Path: %TEMP%
Group: Malware file
Last Updated: April 28, 2017
%TEMP%\enigma.hta
File name: enigma.htaSize: 3.54 KB (3542 bytes)
MD5: 0d69dee6cfc97dd423eec213ab650795
Detection count: 12
Mime Type: unknown/hta
Path: %TEMP%
Group: Malware file
Last Updated: April 28, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.