1 of 3
Danger level 8
Type: Adware
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

LIGMA Ransomware

Which version of the malicious LIGMA Ransomware attacked your Windows operating system? The one that encrypted files, or the one that changed files’ icons? While the situation is much direr if your files were encrypted, you must take the matter seriously in both cases. At the time of analysis of this malicious threat, a free decryptor that could restore the files did not exist, and so if files are encrypted, the chances are that you will not be able to recover them. Our hope is that the victims of this malicious infection have their files backed up outside their computers, and they can restore files from backup as soon as they remove LIGMA Ransomware. Unfortunately, if your files are backed up on the system, it is unlikely that you will be able to restore them because the infection deletes shadow volume copies. This is something Matrix-NEWRAR Ransomware, Cmb Dharma Ransomware, and many other infamous file-encryptors are capable of doing. This is why, when it comes to backing up files, we suggest relying on cloud or external drives.

It is unlikely that LIGMA Ransomware is actively spreading in the wild at the moment because the samples obtained by our research team appeared to be unfinished. One of them did not encrypt files at all; however, file icons were replaced with the “COMPLETELY F***ED” icon. The good news is that although the icon is changed, the files can still be read in a regular manner. If the infection encrypts files, the “.ForgiveME” extension is added to their names. If you discover this extension, you cannot open your files because they are encrypted. According to our research, LIGMA Ransomware can affect well over 200 unique types of files, including txt, .zip, .gif, .jpg, .rar, and .docx. Normally, after encryption, the infection would create a ransom note with a demand to email the creator or immediately pay a ransom in return for a decryptor. The tested samples of the infection did not make any requests. In fact, the only message that was delivered was found on the logon screen, and it stated: “Your Computer Got F***ED By LIGMA.” Nothing happened when the screen was bypassed by clicking the OK button underneath. This only proves that the infection is either incomplete or was not even meant to work. Of course, it is possible that it could evolve, and that is why we are discussing the removal of this malware.

When LIGMA Ransomware invades the operating system, it also has the ability to disable Task Manager and Registry Editor utilities, and that can create difficulties when deleting the infection. Of course, it is possible to regain full control of the system by rebooting it to Safe Mode, and you can learn about the process using the manual removal instructions below. Are you ready to delete LIGMA Ransomware? Even if you are, take a step back and think about one more thing: What can you do to ensure that malware cannot invade your operating system and personal files in the future? If you wish to protect your operating system, manual removal might not be the best option for you, and you need to decide how you will eliminate the threat. Unfortunately, we cannot tell you at this point how the ransomware spreads, but since ransomware can successfully use spam email attacks, malicious downloaders, unsafe RDP channels, and various other security backdoors, you need to be cautious about all security vulnerabilities.

You should have no trouble installing and using automated anti-malware software and find and delete LIGMA Ransomware components. You want to install this software not only because it can take the burden off your shoulders when it comes to malware removal but also because it can take care of your virtual security and ensure that malware cannot attack again and again. Of course, if you have the desire to remove LIGMA Ransomware manually, no one is stopping you. The guide below explains how to reboot to safe mode and how to delete malicious components that are used by the ransomware. The process is quite straightforward, but if you have questions, or you run into obstacles, we are always here to help you. Use the comments section below to communicate with us.

LIGMA Ransomware Removal

Reboot to Safe Mode on Windows 10 or Windows 8

  1. Restart the PC, wait for BIOS to load, and quickly start tapping F8.
  2. When the boot options menu appears, select See advanced repair options.
  3. Click Troubleshoot, move to Advanced options, and then go to Startup Settings.
  4. Click Restart and then choose Safe Mode.

Reboot to Safe Mode on Windows 7, Windows Vista or Windows XP

  1. Restart the PC, wait for BIOS to load, and quickly start tapping F8.
  2. When the boot options menu appears, select Safe Mode using arrow keys and then tap Enter.

Remove malicious ransomware components

  1. Simultaneously tap Win+R to launch RUN and enter regedit.exe into the dialog box.
  2. In Registry Editor’s pane on the left move to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Delete two keys called legalnoticecaption and legalnoticetext.
  4. Exit Registry Editor and then launch Windows Explorer by tapping Win+E.
  5. Enter %HOMEDRIVE% into the field at the top to access the directory.
  6. Open the WinWOW32 folder and Delete these files: icon.ico, mbr.bin, Payloads.dll, and work.bat.
  7. Exit Explorer and then Empty Recycle Bin.
  8. Install a legitimate malware scanner to check if you have removed everything.
Download Spyware Removal Tool to Remove* LIGMA Ransomware
  • Quick & tested solution for LIGMA Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.