The Enigma Ransomware targets Russian Speaking Users

A new ransomware called Enigma was discovered that targets Russian speaking countries. Discovered in late April by Jakub Kroustek, a reverse engineer and malware analyst for AVG, the Enigma Ransomware encrypts your data using AES encryption and then demands 0.4291 BTC or approximately $200 USD to get your files back.

Are malware authors running out of names? Another #Enigma #ransomware. https://t.co/eiv8eg0DcF pic.twitter.com/fRC9KeK3ZM

— Jakub Kroustek (@JakubKroustek) April 29, 2016

Including the fact that this ransomware targets Russian speaking countries, another interesting feature is that Enigma also uses a HTML/JS based installer that contains an embedded ransomware executable. Some good news is that sometimes the deletion of the Shadow Volume Copies are unsuccessful and they can be used to recover files.

It should be noted, that this ransomware is not related to or affiliated with any company whose name contains the word Enigma.  This ransomware was given this name simply because it creates multiple files with the keyword Enigma and appends .enigma to all encrypted files.

Javascript installer with an embedded executable

According to analysis done by MalwareHunterTeam and myself, the Enigma Ransomware is currently being distributed via HTML attachments that contains everything it needs to create an executable, save it to the victim's hard drive, and then execute it. When the HTML attachment is opened it will launch the default browser and execute the embedded javascript.

This javascript will create a standalone javascript file called Свидетельство о регистрации частного предприятия.js, which loosely translates to The certificate of registration of private predpriyatiya.js. 

When the javascript file is created, the HTML file will automatically pretend to download it and offer it as a file that the victim should execute. When this JS file is executed, it will create an executable called 3b788cd6389faa6a3d14c17153f5ce86.exe that is automatically launched and executed. This executable is created from an array of bytes stored in the javascript file.

Once executed, the executable will encrypt the data on the victim's computer and append the .enigma extension to them.  For example, test.jpg would become test.jpg.enigma. 

When the encryption process is done, it will execute the %UserProfile%\Desktop\enigma.hta file to display the ransom note shown below. This ransom note contains information on what happened to the victim's files and a link to the TOR payment site. The text of this ransom note is:

This loosely translates into English as:

We encrypt sensitive files on your computer: documents, databases, photos, videos and keys.
Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know.
Encrypted files have .ENIGMA extension. It decrypts files without the private key IMPOSSIBLE.

If you want to get the files back:

1) Install the Tor Browser https://www.torproject.org/
2) Locate the desktop key to access the site ENIGMA_ (your room key) .RSA
3) Go to the website http: //f6lohswy737xq34e.onion into a torus-browser and log in using ENIGMA_ (your room key) .RSA
4) Follow the instructions on the website and download the decoder

If the primary site is unavailable, try http: //ohj63tmbsod42v3d.onion/

During the encryption process it will also create the following files, which are described below.

• %Temp%\testttt.txt - A debug file used to determine if the file handle could be opened for the creation of the ransomware executable.
   
• %AppData%\testStart.txt - Debug file indicating that the encryption started and was successful.
   
• %UserProfile%\Desktop\allfilefinds.dat - Encrypted list of files that were encrypted.
   
• %UserProfile%\Desktop\enigma.hta - Is set as a Windows autorun to automatically display the ransom note shown above.
   
• %UserProfile%\Desktop\ENIGMA_[id_number].RSA - The unique public key associated with the victim's computer. This is used to login to the payment site.
   
• %UserProfile%\Desktop\enigma_encr.txt - Text based ransom note.
   
• %UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe - Ransomware executable.

Some good news is that sometimes the deletion of the Shadow Volume Copies are unsuccessful, so you can use these instructions to attempt to recover them for free. If you need help with this method, you can ask in the dedicated Enigma Ransomware Support and Help Topic.

The Enigma Ransomware Payment Site

When a user is infected, if they wish to make a ransom payment they need to connect to a special TOR site created by the developers.  The address for this TOR site is located in the ransom note and requires you to upload the ENIGMA_[id_number].RSA file in order to log in.

When a user logs in they will be presented with the amount of bitcoins they must send as the ransom as well as the bitcoin address payment must be sent to.  This payment site offers a victim the ability to decrypt one file for free to prove that the ransomware developers can do so.  It also includes a support chat box that a victim can use to talk to the malware developers.

Once a payment has been made, a download link will be made available that can be used to download the decryptor.
 

Updated 5/10/16 - According to MalwareHunterTeam and others, the Enigma Ransomware does attempt to delete the Shadow Volume Copies. When I tested it did not, so this mechanism may be faulty. Affected users should still attempt recovery via the SVCs if they are present.

Files associated with the Enigma Ransomware:

%Temp%\testttt.txt
%AppData%\testStart.txt
%UserProfile%\Desktop\allfilefinds.dat
%UserProfile%\Desktop\enigma.hta
%UserProfile%\Desktop\ENIGMA_807.RSA
%UserProfile%\Desktop\enigma_encr.txt
%UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe

Registry keys associated with the Enigma Ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgram   3b788cd6389faa6a3d14c17153f5ce86.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgramOk    %UserProfile%\Desktop\enigma.hta