A new variant of ransomware known as Engima is specifically targeting unsuspecting users who live in Russian-speaking countries.
The ransomware was first identified by Jakub Kroustek, a reverse engineer and malware analyst at AVG Technologies:
— Jakub Kroustek (@JakubKroustek) April 29, 2016
Since his discovery, others have had a chance to analyze how this relatively new form of crypto-malware works.
Malware analyst @MalwareHunterTeam along with computer security expert Lawrence Abrams of Bleeping Computer, for example, have published a blog post summarizing their investigation of Enigma.
That ransomware executable then proceeds to encrypt a user’s files, append the .ENIGMA extension to them, and display a ransom message written entirely in Russian:
It’s curious that Enigma is specifically targeting Russian-speaking countries, especially when Cerber currently makes it a point of preventing users living in Russia and Eastern European countries from becoming infected.
If anything, Enigma proves that no one is safe from ransomware these days.
This crypto-malware variant demands approximately US $200 in exchange for the decryption key. For victims to complete their payments, they must download the Tor browser and use it to access the Enigma’s payment portal, which is also written entirely in Russian:
There they can decrypt one file for free and communicate with the malware developers via a chat box.
The following YouTube video demonstrates Enigma in action.
At this time, there is no reliable way for victims to recover their files for free.
With that being said, Abrams and @MalwareHunterTeam do note that in some instances, Engima fails to delete the Shadow Volume Copies (SVC). The ransomware will attempt to delete the SVC, so there’s no way of knowing if it will succeed from one victim to another. If it does not, a victim should use their Shadow Volume Copies to restore access to their decrypted files.
For all other users, prevention is key. Please make sure you back up your data regularly and install an anti-virus solution onto your computer. At this time, VirusTotal is listing 37 different anti-virus tools which are identifying the Enigma ransomware.
With one of those products running on your machine, you can protect yourself against this threat.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.