Enigma Ransomware: The Attacker Strikes Eastern Europe

The AVG security researcher Jakub Kroustek discovered a brand new ransomware called Enigma, which mainly targets the Russian speaking countries. According to Kroustek, Enigma Ransomware encrypts users data using AES encryption and demands 0.4291 BTC (approximately $200 USD) to decrypt their files.

Apart from the fact that Enigma ransomware attacks Russian speaking countries, there is another interesting feature about it. It is the fact that Enigma uses a HTML/JS based installer which contains an embedded ransomware executable. Also, under certain conditions, the ransomware allow users to recover some of their files using Shadow Volume Copies.

Currently, Enigma Ransomware is being distributed via HTML attachments which contains everything it needs to create an executable, save it to the victim’s hard drive, and then execute it. Once the HTML attachment is opened, it launches the default web browser and execute the embedded javascript.

Javascript creates a standalone javascript file named Свидетельство о регистрации частного предприятия.js, which translates to: The certificate of registration of private predpriyatiya.js.

After the javascript file is created, the HTML file automatically pretends to download it and offers it as a file that the victim should execute. Being executed, the JS file creates an executable called 3b788cd6389faa6a3d14c17153f5ce86.exe, which is automatically launched and executed. This executable is created from an array of bytes stored in the javascript file.

Being executed, the executable encrypts the data on the victim’s computer and appends the .enigma extension to them. For instance, MyPicture.jpg would become MyPicture.jpg.enigma.

Once the encryption process is completed, it executes the %UserProfile%\Desktop\enigma.hta file to display the ransom note shown below. The ransom note contains information on what happened to the victim’s files and a link to the TOR payment site. The text of this ransom note is:

Мы зашифровали важные файлы на вашем компьютере: документы, базы данных, фото, видео, ключи.
Файлы зашифрованны алгоритмом AES 128(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) с приватным ключем,который знаем только мы.
Зашифрованные файлы имеют расширение .ENIGMA . Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.
Если хотите получить файлы обратно:
1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://f6lohswy737xq34e.onion в тор-браузере и авторизуйтесь с помощью ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор
Если основной сайт будет недоступен попробуйте http://ohj63tmbsod42v3d.onion/

During the encryption process it will also create the following files, which are described below.

  • %Temp%\testttt.txt – A debug file used to determine if the file handle could be opened for the creation of the ransomware executable.
  • %UserProfile%\Desktop\enigma.hta – Is set as a Windows autorun to automatically display the ransom note shown above.
  • %AppData%\testStart.txt – Debug file indicating that the encryption started and was successful.
  • %UserProfile%\Desktop\allfilefinds.dat – Encrypted list of files that were encrypted.
  • %UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe – Ransomware executable.
  • %UserProfile%\Desktop\ENIGMA_[id_number].RSA – The unique public key associated with the victim’s computer. This is used to login to the payment site.
  • %UserProfile%\Desktop\enigma_encr.txt – Text based ransom note.

If an infected user wants to make a ransom payment, they need to connect to a special TOR site created by the developers. The address for this TOR website is located in the ransom note and requires victims to upload the ENIGMA_[id_number].RSA file in order to log in.

After a user logs in, they will be presented with the amount of bitcoins they must send as the ransom as well as the bitcoin address payment must be sent to. The payment website offers the victim the ability to decrypt one file for free to prove that the ransomware developers can do so. Besides, it includes a support chat box that a victim can use to talk to the malware developers. As soon as a payment has been made, a download link will be made available for downloading the decryptor.

Regarding the possibility of decrypting files, there is a simplified explanation of what happens towards the end of the encryption process that you need to remember just in case you double-clicked an HTA file.

For users who have Windows UAC (User Account Control) enabled, the ransomware will show a UAC prompt at one point towards the end of the encryption process. If users press “No” in this prompt, the ransomware’s encryption routine ends without deleting the Shadow Volume Copies. However, the files will remain encrypted and victims will be able to spot them based on their “.enigma” file extension. To recover their files, there’s specialized hard drive recovery software that can extract data from Shadow Volume Copies.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.