FANDOM


Enigma is a ransomware Trojan that is designed to attack computer users located in Russian-speaking countries.Tthis ransomware is not related to or affiliated with any company whose name contains the word Enigma such as EnigmaSoft. This ransomware was given this name simply because it creates multiple files with the keyword Enigma and appends .enigma to all encrypted files.

Payload

Transmission

Enigma Ransomware is currently being distributed via HTML attachments.

Infection

When the HTML attachment is opened it will launch the default browser and execute the embedded javascript.

This javascript will create a standalone javascript file called Свидетельство о регистрации частного предприятия.js, which loosely translates to The certificate of registration of private predpriyatiya.js. 

When the javascript file is created, the HTML file will automatically pretend to download it and offer it as a file that the victim should execute. When this JS file is executed, it will create an executable called 3b788cd6389faa6a3d14c17153f5ce86.exe that is automatically launched and executed. This executable is created from an array of bytes stored in the javascript file.

Once executed, the executable will encrypt the data on the victim's computer and append the .enigma extension to them.  For example, test.jpg would become test.jpg.enigma. 

When the encryption process is done, it will execute the %UserProfile%\Desktop\enigma.hta file to display the ransom note shown below. This ransom note contains information on what happened to the victim's files and a link to the TOR payment site. The text of this ransom note is:

Мы зашифровали важные файлы на вашем компьютере: документы, базы данных, фото, видео, 
ключи. 
Файлы зашифрованны алгоритмом AES 
128(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) с приватным ключем,который знаем только мы.
Зашифрованные файлы имеют расширение .ENIGMA . Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.

Если хотите получить файлы обратно:

1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://f6lohswy737xq34e.onion в тор-браузере и авторизуйтесь с помощью 
ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор

Если основной сайт будет недоступен попробуйте http://ohj63tmbsod42v3d.onion/

This loosely translates into English as:

We encrypt sensitive files on your computer: documents, databases, photos, videos and keys.
Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only 
we know.
Encrypted files have .ENIGMA extension. It decrypts files without the private key IMPOSSIBLE.

If you want to get the files back:

1) Install the Tor Browser https://www.torproject.org/
2) Locate the desktop key to access the site ENIGMA_ (your room key) .RSA
3) Go to the website http: //f6lohswy737xq34e.onion into a torus-browser and log in using 
ENIGMA_ (your room key) .RSA
4) Follow the instructions on the website and download the decoder

If the primary site is unavailable, try http: //ohj63tmbsod42v3d.onion/

During the encryption process it will also create the following files, which are described below:

  • %Temp%\testttt.txt - A debug file used to determine if the file handle could be opened for the creation of the ransomware executable.
     
  • %AppData%\testStart.txt - Debug file indicating that the encryption started and was successful.
     
  • %UserProfile%\Desktop\allfilefinds.dat - Encrypted list of files that were encrypted.
     
  • %UserProfile%\Desktop\enigma.hta - Is set as a Windows autorun to automatically display the ransom note shown above.
     
  • %UserProfile%\Desktop\ENIGMA_[id_number].RSA - The unique public key associated with the victim's computer. This is used to login to the payment site.
     
  • %UserProfile%\Desktop\enigma_encr.txt - Text based ransom note.
     
  • %UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe - Ransomware executable.

When a user is infected, if they wish to make a ransom payment they need to connect to a special TOR site created by the developers. The address for this TOR site is located in the ransom note and requires you to upload the ENIGMA_[id_number].RSA file in order to log in.

When a user logs in they will be presented with the amount of bitcoins they must send as the ransom as well as the bitcoin address payment must be sent to.  This payment site offers a victim the ability to decrypt one file for free to prove that the ransomware developers can do so.  It also includes a support chat box that a victim can use to talk to the malware developers.

Once a payment has been made, a download link will be made available that can be used to download the decryptor.

Files associated with the Enigma Ransomware:

%Temp%\testttt.txt
%AppData%\testStart.txt
%UserProfile%\Desktop\allfilefinds.dat
%UserProfile%\Desktop\enigma.hta
%UserProfile%\Desktop\ENIGMA_807.RSA
%UserProfile%\Desktop\enigma_encr.txt
%UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe

Registry keys associated with the Enigma Ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgram   3b788cd6389faa6a3d14c17153f5ce86.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgramOk    %UserProfile%\Desktop\enigma.hta
Community content is available under CC-BY-SA unless otherwise noted.