LIGMA Ransomware Removal Guide

Do you know what LIGMA Ransomware is?

If you have spotted a message “Your Computer Got FUCKED By LIGMA” on the Logon screen, it is very likely that you have encountered LIGMA Ransomware. It is a brand new malicious application detected by our researchers. Even though cyber criminals usually release ransomware infections to obtain money from users, it seems that it is not the LIGMA Ransomware developer’s goal, or this malicious application is still in the development phase because it does not demand a ransom once it encrypts files on affected computers. It should be emphasized that not all the versions of LIGMA Ransomware lock data on victims’ computers. It seems that another version that only changes icons on affected systems exists as well. We hope that you have encountered this version because we do not think that it would be easy to fix files ruined by the version that encrypts data. Of course, you cannot keep any version of LIGMA Ransomware installed on your system. We cannot promise that its removal will be a piece of cake due to all the modifications it makes, but we promise to help you eliminate it fully.

As mentioned, it seems that there are two slightly different versions of LIGMA Ransomware. The one will only change your icons, whereas the other one will mercilessly lock your files. The latter version of LIGMA Ransomware will encrypt files you consider the most important and valuable. There is a long list of filename extensions it targets, e.g. .jpg, .gif, .iso, .txt, .zip, .msi, .res, .php, .lic, .cfa, and .bep. You will lose all your documents, media files, and much more if this infection ever enters your system. It did not demand a ransom at the time of research, which suggests that it might be impossible to get a decryptor from the LIGMA Ransomware developer. Of course, it does not mean that we encourage victims to purchase software cyber criminals claim to have. If you send money to malware developers, new infections might be released in the near future. There are no guarantees that you will not encounter them yourself. Also, the ransomware infection will not be deleted from your system, we can assure you that, meaning that it could lock your files again. Last but not least, there are no guarantees that you will get the decryptor and could unlock encrypted files with it. You are not doomed without the special decryptor. All affected files can be restored from a backup. Unfortunately, we know no other free data recovery methods.LIGMA Ransomware Removal GuideLIGMA Ransomware screenshot
Scroll down for full removal instructions

Spam emails should be the main LIGMA Ransomware medium of distribution, specialists say, but it would be very naïve to expect that it cannot be promoted differently. According to our team of researchers, some users might encounter LIGMA Ransomware after they get their RDP connections hacked. In such a case, the ransomware infection is dropped by hackers directly onto the user’s computer. Of course, it does not mean that users cannot download malicious software from the web. If you are a fan of torrent websites, it is only a question of time when you will download a harmful threat. Needless to say, it will not be named “malware.” Instead, it will pretend to be a completely harmless piece of software to trick you into clicking the Download button.

No matter which of the existing versions of LIGMA Ransomware you have encountered, eliminate this threat from your system as soon as possible. You will need to erase its files, remove Value data from affected Values in the system registry, and enable Task Manager and Registry Editor. Yes, it disables them upon the successful entrance, which is why researchers consider it quite sophisticated malware.

Remove LIGMA Ransomware

  1. Tap Win+R.
  2. Type gpedit.msc and tap Enter.
  3. Navigate to User Configuration.
  4. Click Administrative Templates.
  5. Click System.
  6. Open Ctrl+Alt+Del Options.
  7. Open Remove Task Manager.
  8. Set Not Configured and click OK.
  9. Under System, locate Prevent Access to registry editing tools.
  10. Set Not Configured and click OK.
  11. Close the window.
  12. Tap Win+R.
  13. Type regedit and click OK.
  14. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System.
  15. Delete two Values: legalnoticecaption and legalnoticetext.
  16. Close Registry Editor.
  17. Press Win+E.
  18. Open %HOMEDRIVE%\WinWOW32.
  19. Delete all malicious files listed below:
  • icon.ico
  • mbr.bin
  • Payloads.dll
  • work.bat

In non-techie terms:

You will either find your icons changed or your personal files encrypted if you ever encounter LIGMA Ransomware. This threat is not exactly a typical ransomware infection because it does not demand a ransom, but it might be updated in the near future. Do not wait for this to happen – delete the ransomware infection right away if you have already encountered. Then, you should install a security application to improve the overall system’s protection against computer threats.