Enigma Ransomware

Posted: May 10, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	7,844

First Seen:	May 11, 2016
Last Seen:	November 24, 2021
OS(es) Affected:	Windows

The Enigma Ransomware is a Trojan that tricks its victims into installing it through JavaScript, and then encrypts their files, such as documents or images. After the encryption process, the Enigma Ransomware loads a ransom message asking for Bitcoin money for the safe return of the data, although malware experts still note the likely viability of free data-restoring techniques. After identifying the symptoms of this threat, a victim should uninstall the Enigma Ransomware with their anti-malware software, and then conduct any appropriate backup restoration actions.

The Shallow Mystery Behind a New Russian Trojan

The Enigma Ransomware (most likely borrowing its naming conventions from 'the Enigma' rotor cipher machines of the early twentieth century) is a file encryptor with a payload very similar to other ransom-based malware campaigns. However, the Enigma Ransomware also includes some unusual choices in structure most likely implemented for ease of use on the part of the malware developer. While not being a sophisticated threat of its category, the Enigma Ransomware does include basic region-filtering options, and currently only finishes its full payload on PCs located in Russia.

That payload includes scanning available hard drives for non-system files, which the Enigma Ransomware encodes with an AES encryption algorithm. Just as with most file encryptors seen in malware experts' analyses, the Enigma Ransomware also tags the affected content with an identifying text string ('.the Enigma'). As per usual, victims can't open the encrypted content, but the threat's automatically-loaded ransom message includes 'proof' of its decryption capabilities while trying to sell its full decryption services via Bitcoin payments.

The Enigma Ransomware uses a relatively in-depth ransom format based on HTA (a program built from HTML). The ease of use and its unambitious cash demand (roughly 200 dollars) may convince some victims to pay the Enigma Ransomware's fee upfront, although doing so would be a costly mistake with no certainty of data recovery.

The Solution to an Enigma that will not Cost You a Thing

While examining the Enigma Ransomware, malware experts saw some noteworthy limitations and inconsistencies that indicate its likely creation by an inexperienced developer. Although the Enigma Ransomware uses file attachments for installing itself, they require being launched by the victim manually. The Enigma Ransomware's Trojan droppers also utilize JavaScript, which you may block by default as a simple security measure.

Far more damningly than that, the Enigma Ransomware also shows potential for having a buggy payload that does not always delete any local backup data. Windows users may find success in restoring encrypted content from their Shadow Volume Copies. Since this solution is not always available, and other threats tend to account for it, malware experts continue recommending non-local backup defenses against file encryption attacks, such as a cloud storage service.

The Enigma Ransomware is a limited-scope threat whose executable is created dynamically when its JavaScript launches. Although good anti-malware programs should have no issues with removing the Enigma Ransomware, not opening it at all is a safer course of action for the contents of your computer. Until this campaign spreads to other regions, Russian-speaking PC users should take the greatest precautions against the Enigma Ransomware's known infection vectors: HTML file attachments that aren't what they say they are.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%TEMP%\enigma.hta

File name: enigma.hta
Size: 3.5 KB (3507 bytes)
MD5: 49834055020adf056f86bd6b786bc698
Detection count: 44
Mime Type: unknown/hta
Path: %TEMP%
Group: Malware file
Last Updated: April 28, 2017

file.exe

File name: file.exe
Size: 537.08 KB (537088 bytes)
MD5: c458e0d8d4818d0890ce0e34f6dc32aa
Detection count: 29
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 11, 2016

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

File name: Info.hta
Size: 13.64 KB (13647 bytes)
MD5: 9a8f9782336bd1a4c1877c190badee78
Detection count: 19
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 29, 2016

More files

EnigmaSpark