LIGMA Ransomware

What is LIGMA Ransomware?

Malware experts agree: LIGMA Ransomware could become a serious threat. At this time, the infection is not complete, and its distribution is unlikely to have started. Of course, if you encounter it, you must remove it without further delay because it appears to have been created to encrypt files. Our research team at Anti-Spyware-101.com has found that the infection is programmed to encrypt 224 different types of files, which include documents, photos, archives, songs, videos, shortcuts, etc. The infection does not encrypt system files, and there is no point in doing that because the operating system can be reinstalled. On the other hand, when personal files are encrypted, their owners are more likely to accept the requests of cyber criminals just to get them back. The strange thing is that the infection in its current state does not make any requests. This isn’t bad news because even when victims have the opportunities to pay ransoms, they should not do it because cyber criminals are unlikely to give anything in return. All in all, even if it is not spreading yet, we want to show how to delete LIGMA Ransomware in case it strikes unexpectedly.

How does LIGMA Ransomware work?

LIGMA Ransomware might be spread using various different methods, and, unfortunately, we really cannot say much about the distribution at this point because, as we mentioned, the infection might not even be actively spreading yet. Spam emails, downloaders, and remote connection to the system could all be used for the distribution, but so could many other methods. On top of that, there are plenty of other infections that could attack your operating system and that you would need to remove. This is why you must take virtual security seriously. Install reliable software to ensure that malware cannot slither in, and adjust your own behavior to ensure that you do not invite or let in malware yourself. If you accidentally let in LIGMA Ransomware, your personal files could be encrypted, or their icons could be changed. We have seen several different variants of this threat. The strange thing is that the variant that changed icons did not encrypt files. The one that encrypted files, added ".ForgiveME" at the end of their names as markers. Unfortunately, the icons were not changed back, and the files were not decrypted after removing the infection from Windows.

It is unclear what the purpose behind LIGMA Ransomware is. At this point, it looks like this infection is used solely for testing purposes. Ransomware threats are almost always created to blackmail victims and push them into paying huge ransom fees in return for keys or tools that, allegedly, could decrypt corrupted data. In this case, there are no demands whatsoever. After execution, LIGMA Ransomware modified the Windows Registry to include a message on the logon screen, but it simply informed that the ransomware messed with the files. Unfortunately, it does not look like this is the end of the infection, and it is possible that a much more advanced variant will emerge in the future. Of course, if the current variant invades your system, you must delete it without further delay. Unfortunately, that can be problematic because the threat is capable of disabling Task Manager and Registry Editor.

How to delete LIGMA Ransomware

You must decide how you want to delete the malicious infection. You might be thinking about manual removal right now, but you should also consider employing anti-malware software. It can automatically delete LIGMA Ransomware and reinstate full-time protection. If other threats exist, the software can erase it too. There are plenty of benefits to using it. You can also remove the threat manually, and the guide below shows how to do it. We also include a guide that should help you restore Task Manager and Registry Editor. If this method does not work for you, reboot to Safe Mode to eliminate malware. Unfortunately, you cannot recover your files regardless of how you get rid of the infection. Your files can be saved only if backups exist. Because the infection deletes shadow copies, your backups must exist on external drives or online. Also, remember that there are many ransomware infections out there, and new ones emerge daily, which is why it is really important to back up files. Some cloud storage services are even free, and so you have no excuse.

Removal Instructions

1. Click the Windows logo, select Settings, and enter gpedit.msc into the search field (on versions previous to Windows 10, click Start/Windows icon and enter gpedit.msc into the search).
2. Click Edit group policy (or gpedit) to open the Local Group Policy Editor.
3. Under User Configurations click Administrative Templates and then double-click System.
4. Double-click Prevent access to registry editing tools.
5. Select Not Configured or Disabled, click Apply, and then click OK.
6. Go back to the Systems menu and double-click Ctrl+Shift+Del Options.
7. Double-click Remote Task Manager.
8. Select Not Configured or Disabled, click Apply, and then click OK.
9. Exit Local Group Policy Editor and then launch Registry Editor (tap Win+R and enter regedit.exe).
10. Go to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System.
11. Right-click and Delete these keys: legalnoticecaption, legalnoticetext.
12. Launch Explorer (tap Win+E) and enter %HOMEDRIVE% into the bar at the top.
13. Right-click and Delete the folder named WinWOW32 if it contains these files: icon.ico, mbr.bin, Payloads.dll, and work.bat.
14. Exit all windows and Empty Recycle Bin.
15. Install a trusted malware scanner and run a full system scan to check if malicious leftovers exist. Download Removal Tool100% FREE spyware scan and
    tested removal of LIGMA Ransomware*