Enigma ransomware targets Russian-speaking users

Fortunately, victims may *sometimes* be able to recover their files for free.

David bisson
David Bisson

Enigma ransomware

A new variant of ransomware known as Engima is specifically targeting unsuspecting users who live in Russian-speaking countries.

The ransomware was first identified by Jakub Kroustek, a reverse engineer and malware analyst at AVG Technologies:

Since his discovery, others have had a chance to analyze how this relatively new form of crypto-malware works.

Malware analyst @MalwareHunterTeam along with computer security expert Lawrence Abrams of Bleeping Computer, for example, have published a blog post summarizing their investigation of Enigma.

The duo explain that the ransomware is currently being distributed via HTML attachments that, when clicked on, launches in a web browser and execute embedded Javascript. That code then creates a Javascript file entitled Свидетельство о регистрации частного предприятия.js, or “The certificate of registration of private predpriyatiya.js” in English.

Enigma code

“When the javascript file is created, the HTML file will automatically pretend to download it and offer it as a file that the victim should execute. When this JS file is executed, it will create an executable called 3b788cd6389faa6a3d14c17153f5ce86.exe that is automatically launched and executed. This executable is created from an array of bytes stored in the javascript file.”

That ransomware executable then proceeds to encrypt a user’s files, append the .ENIGMA extension to them, and display a ransom message written entirely in Russian:

Ransomware message

It’s curious that Enigma is specifically targeting Russian-speaking countries, especially when Cerber currently makes it a point of preventing users living in Russia and Eastern European countries from becoming infected.

If anything, Enigma proves that no one is safe from ransomware these days.

This crypto-malware variant demands approximately US $200 in exchange for the decryption key. For victims to complete their payments, they must download the Tor browser and use it to access the Enigma’s payment portal, which is also written entirely in Russian:

Enigma decryption site

There they can decrypt one file for free and communicate with the malware developers via a chat box.

The following YouTube video demonstrates Enigma in action.

At this time, there is no reliable way for victims to recover their files for free.

With that being said, Abrams and @MalwareHunterTeam do note that in some instances, Engima fails to delete the Shadow Volume Copies (SVC). The ransomware will attempt to delete the SVC, so there’s no way of knowing if it will succeed from one victim to another. If it does not, a victim should use their Shadow Volume Copies to restore access to their decrypted files.

For all other users, prevention is key. Please make sure you back up your data regularly and install an anti-virus solution onto your computer. At this time, VirusTotal is listing 37 different anti-virus tools which are identifying the Enigma ransomware.

With one of those products running on your machine, you can protect yourself against this threat.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.