A new variant of ransomware known as Engima is specifically targeting unsuspecting users who live in Russian-speaking countries.
The ransomware was first identified by Jakub Kroustek, a reverse engineer and malware analyst at AVG Technologies:
Are malware authors running out of names? Another #Enigma #ransomware. https://t.co/eiv8eg0DcF pic.twitter.com/fRC9KeK3ZM
— Jakub Kroustek (@JakubKroustek) April 29, 2016
Since his discovery, others have had a chance to analyze how this relatively new form of crypto-malware works.
Malware analyst @MalwareHunterTeam along with computer security expert Lawrence Abrams of Bleeping Computer, for example, have published a blog post summarizing their investigation of Enigma.
The duo explain that the ransomware is currently being distributed via HTML attachments that, when clicked on, launches in a web browser and execute embedded Javascript. That code then creates a Javascript file entitled Свидетельство о регистрации частного предприятия.js, or “The certificate of registration of private predpriyatiya.js” in English.
“When the javascript file is created, the HTML file will automatically pretend to download it and offer it as a file that the victim should execute. When this JS file is executed, it will create an executable called 3b788cd6389faa6a3d14c17153f5ce86.exe that is automatically launched and executed. This executable is created from an array of bytes stored in the javascript file.”
That ransomware executable then proceeds to encrypt a user’s files, append the .ENIGMA extension to them, and display a ransom message written entirely in Russian:
It’s curious that Enigma is specifically targeting Russian-speaking countries, especially when Cerber currently makes it a point of preventing users living in Russia and Eastern European countries from becoming infected.
If anything, Enigma proves that no one is safe from ransomware these days.
This crypto-malware variant demands approximately US $200 in exchange for the decryption key. For victims to complete their payments, they must download the Tor browser and use it to access the Enigma’s payment portal, which is also written entirely in Russian:
There they can decrypt one file for free and communicate with the malware developers via a chat box.
The following YouTube video demonstrates Enigma in action.
At this time, there is no reliable way for victims to recover their files for free.
With that being said, Abrams and @MalwareHunterTeam do note that in some instances, Engima fails to delete the Shadow Volume Copies (SVC). The ransomware will attempt to delete the SVC, so there’s no way of knowing if it will succeed from one victim to another. If it does not, a victim should use their Shadow Volume Copies to restore access to their decrypted files.
For all other users, prevention is key. Please make sure you back up your data regularly and install an anti-virus solution onto your computer. At this time, VirusTotal is listing 37 different anti-virus tools which are identifying the Enigma ransomware.
With one of those products running on your machine, you can protect yourself against this threat.