A new ransomware called Enigma was discovered that targets Russian speaking countries. Discovered in late April by Jakub Kroustek, a reverse engineer and malware analyst for AVG, the Enigma Ransomware encrypts your data using AES encryption and then demands 0.4291 BTC or approximately $200 USD to get your files back.
Including the fact that this ransomware targets Russian speaking countries, another interesting feature is that Enigma also uses a HTML/JS based installer that contains an embedded ransomware executable. Some good news is that sometimes the deletion of the Shadow Volume Copies are unsuccessful and they can be used to recover files.
It should be noted, that this ransomware is not related to or affiliated with any company whose name contains the word Enigma. This ransomware was given this name simply because it creates multiple files with the keyword Enigma and appends .enigma to all encrypted files.
Once executed, the executable will encrypt the data on the victim's computer and append the .enigma extension to them. For example, test.jpg would become test.jpg.enigma.
When the encryption process is done, it will execute the %UserProfile%\Desktop\enigma.hta file to display the ransom note shown below. This ransom note contains information on what happened to the victim's files and a link to the TOR payment site. The text of this ransom note is:
Мы зашифровали важные файлы на вашем компьютере: документы, базы данных, фото, видео, ключи.
Файлы зашифрованны алгоритмом AES 128(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) с приватным ключем,который знаем только мы.
Зашифрованные файлы имеют расширение .ENIGMA . Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.
Если хотите получить файлы обратно:
1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://f6lohswy737xq34e.onion в тор-браузере и авторизуйтесь с помощью ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор
Если основной сайт будет недоступен попробуйте http://ohj63tmbsod42v3d.onion/
This loosely translates into English as:
We encrypt sensitive files on your computer: documents, databases, photos, videos and keys.
Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know.
Encrypted files have .ENIGMA extension. It decrypts files without the private key IMPOSSIBLE.
If you want to get the files back:
1) Install the Tor Browser https://www.torproject.org/
2) Locate the desktop key to access the site ENIGMA_ (your room key) .RSA
3) Go to the website http: //f6lohswy737xq34e.onion into a torus-browser and log in using ENIGMA_ (your room key) .RSA
4) Follow the instructions on the website and download the decoder
If the primary site is unavailable, try http: //ohj63tmbsod42v3d.onion/
During the encryption process it will also create the following files, which are described below.
Some good news is that sometimes the deletion of the Shadow Volume Copies are unsuccessful, so you can use these instructions to attempt to recover them for free. If you need help with this method, you can ask in the dedicated Enigma Ransomware Support and Help Topic.
When a user is infected, if they wish to make a ransom payment they need to connect to a special TOR site created by the developers. The address for this TOR site is located in the ransom note and requires you to upload the ENIGMA_[id_number].RSA file in order to log in.
When a user logs in they will be presented with the amount of bitcoins they must send as the ransom as well as the bitcoin address payment must be sent to. This payment site offers a victim the ability to decrypt one file for free to prove that the ransomware developers can do so. It also includes a support chat box that a victim can use to talk to the malware developers.
Once a payment has been made, a download link will be made available that can be used to download the decryptor.
Updated 5/10/16 - According to MalwareHunterTeam and others, the Enigma Ransomware does attempt to delete the Shadow Volume Copies. When I tested it did not, so this mechanism may be faulty. Affected users should still attempt recovery via the SVCs if they are present.
%Temp%\testttt.txt %AppData%\testStart.txt %UserProfile%\Desktop\allfilefinds.dat %UserProfile%\Desktop\enigma.hta %UserProfile%\Desktop\ENIGMA_807.RSA %UserProfile%\Desktop\enigma_encr.txt %UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgram 3b788cd6389faa6a3d14c17153f5ce86.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgramOk %UserProfile%\Desktop\enigma.hta