Home » How to Remove LIGMA.exe malicious file

How to Remove LIGMA.exe malicious file

Remove ligma ransomware
Remove ligma ransomware

LIGMA.exe is a malicious file associated with LIGMA ransomware.

Threat Description:

LIGMA.exe is an executable file related to initiate the malicious process of LIGMA ransomware on the infected computer or device. LIGMA is a file-encrypting malware that was first detected on 8th September 2018 that generally spread through spam mail attachments.

This crypto-malware uses AES-256 encryption algorithm to encode the files and lock them with “.ForgiveMe” file extension. For example, ‘blackcat.jpeg’ is renamed to ‘blackcat.jpeg.ForgiveME.’

LIGMA ransomware is considered as most damaging as it gives no option of paying the ransom to get back the files. It more acts like a wiper which attacks the MBR sector of the attacked system and any of its attached memory disks. This makes nearly impossible for the victims to enter into the windows boot screen.

LIGMA Distribution methods:

Like other Ransomware threats, LIGMA too mostly spreading through spam mail attachments that may contains macros, malicious links or auto-activation codes. These mails appear to be very sophisticated as they may entitled as any invoice, job application, fax or so on.

Once the user open the links or download the attachment then the payloads of the virus gets downloaded to the computer system. And silently initiates it activities from background. Besides this, there are many other sources through which ransomware-laden malware program can attack your computer or device. To known more about them in details read What is Ransomware and how it works?

More About LIGMA.exe

LIGMA ransomware is reported to mainly attack windows 7 PCs. Once this ransomware hit on any PC, it drops several files within the C:WinWOW32 to execute its malicious tasks:

  • LIGMA.exe,
  • Payloads.dll,
  • work.bat,
  • Mbr.bin.

ligma-exeLIGMA.exe is one of the files that initiates the process of encryption by scanning important documents, videos, photos, PDFs and so on. It leaves no any hope for the victims to decode the files and hence it is also known as ransomware-wiper virus. After the encryption process been done, it changes the desktop background to a black screen that has the note written in green color. The note appears to be too scary as it does not have any demand of ransom like other typical ransomware.

The note reads as :

This PC is dead because you did n't follow the rules.
Your PC will never work again.

NOTE: Even if you fix the MBR your Your PC Is Dead.
Entire Registry is Fucked and your files are infected."

Along with encrypting data, ligma.exe virus also causes other serious damages to the attacked computer like

  • Modifying registry entries and adding startup process to automatically start the program once the user turn on its system;
  • Scans the whole computer system to collect device related information;
  • After the encryption been done, it also helps in deleting the shadow volume copies of the encrypted files.

The motive of LIGMA ransomware is just to completely wipe clean your device rather than just demanding ransom from victims.

What to do when infected with LIGMA Ransomware?

Many security experts have analysed the samples of LIGMA ransomware and is detected by some renowned anti-malware programs like Ransomware Defender. This crypto-malware is also detected by various Trojan variants:

  • Gen:Heur.MSIL.Krypt.4
  • HEUR/QVM03.0.8321.Malware.Gen
  • Msil.Trojan.Diztakun.Dzjg
  • RDN/Generic.dx
  • TR/Kryptik.fszrq
  • Trojan ( 0053b2df1 )
  • Trojan ( 0053c1991 )
  • Trojan.Agent!8.B1E (CLOUD)
  • Trojan.Generic.bnniw
  • W32/Trojan.KIWF-3406
  • Win32/Trojan.57b
  • malicious_confidence_90% (D)
  • malware (ai score=88)

LIGMA ransomware leaves no way to decrypt the files and also deletes the Shadow volume copies of the encrypted files.

Unfortunately, the data altered by the LIGMA Ransomware can’t be restored. If the threat manages to encipher the MBR record, rebooting Windows will not lead to anything good. The System Recovery disks can’t help you return the system to normal.

The better way to deal with LIGMA crypto-malware is to remove it using anti-malware tool and them attempt recovery of encrypted data. As till the infection is present on the system, it will not let you perform any recovery. And even it will keep on encrypting any new files or data inserted through USB drives. To avoid this, experts recommend not to use the infected system as it can lead to more damage.

How To Remove LIGMA Ransomware

In this guide, you will find removal instruction of LIGMA Ransomware both manually and using anti-malware tool. At times, virus does not allow the installation or scanning of anti-virus program, so you need to switch to “safe mode with networking”. After that you can try recovery of your data if you have any backup or we have listed some methods which may help you to recover some of your data.

Ransomware attacks can be haunting for any user as the system contains our valuable data which we cannot afford to lose. The best tip any security expert will give you is to keep backup of your important documents to fight against such threats. Don’t forget to read the preventive guidelines at the end of the article which will help you stay safe from such attacks in future.

Note! If your Mac OS is infected with LIGMA.exe then please visit this link for Mac OS Virus Removal Guide.

Step By Step LIGMA.exe Removal Guide For Mac OS

Special Offer
“LIGMA.exe” may reinstall itself multiple times if you don’t delete its core files. We recommend downloading Ransomware Defender to scan for malicious programs. This may save your precious time and effort.

“Windows OS: Use Ransomware Defender To Remove LIGMA.exe (Recommended)”

Ransomware Defender Overview

Ransomware Defender Review And Full Installation GuideShieldApps’ Ransomware Defender is a specially designed security program for Ransomware threats. This anti-ransomware program detects and permanently blocks any ransomware prior to its attack on the protected system.

Ransomware Defender maintains its threat database and its related information which makes the program proactively detect any sort of threat and notifies users upon detection. This anti-ransomware program works well along with your primary anti-malware applications and does not interfere with its work.

Ransomware Defender is compatible with Windows 7, 8, 8.1 and 10. And is suitable for both home and business network. It has various prominent features like real-time ransomware detection, scan protection, history cleaner, file transfer tools and automated scans that helps in better detection of ransomware threat and blacklist them from your system permanently. Additionally, this anti-ransomware solution also provides firewall security, internet protection, mobile security, and virtual private network configuration. The solution also offers 24/7 customer support via email.

If you generally do not keep backups of your important files and documents or use your computer or device for storing financial and business details, then it is very important to keep them secure. Here Ransomware Defender is proved as a comprehensive anti-ransomware solution.
Do not compromise with your computer’s security.

Ransomware Defender solution comes with a subscription of $49.95.

Ransomware Defender Features

  • Ransomware Protection: This ransomware solution effectively detects, removes and blacklists any ransomware that attempts to attack your system. And always keep monitoring the system within background for any possible attacks.
  • Smart Ransomware Detection: Due to its advanced technology of threat detection, you can rest assured of system protection. It will give real-time updates and report of any suspicious activity.
  • Internet Security: Protects from any unethical web activity, malicious attempts to breach your internet security, blocks any malicious websites and infected online scripts through ransomware generally enter.
  • Scheduled Scan/Clean Action: It provides a user-friendly and fully automated solution for schedule scans at your preferred timings, thus even if you forgot to manually scan your computer you are still protected.
  • Secure File Eraser: It’s a very important feature provided by Ransomware defender that empowers you to fix any of your files/applications that you suspect as infected.
  • 24/7 PROTECTION: Ransomware Defender provides 24/7 real-time protection due to its auto and schedules scan mechanism that guards your system all the time.

Installing Ransomware Defender

Follow these steps to download and install Ransomware Defender on your computer.

  • Click on the link to Download Ransomware Defender.
  • Choose the location to save the installation file and click on “save”.
    Ransomware Defender install step 1
    Ransomware Defender install step 1
  • After the download is completed, double-click on the downloaded file to open.
  • If prompted by User Account Control: click on “Yes” button.
  • This will open an installation wizard. Click on “Install“. Now simply follow the on-screen instructions to complete the installation procedure.
    Ransomware Defender install Step 2
    Ransomware Defender install Step 2
  • After Ransomware Defender successfully installs, a new tab or window will open on your browser showing confirmation of the installation.

Run Scan To Detect Ransomware threat on your computer

Follow the steps to properly scan and remove ransomware threat from your computer:

  1. Start the scan: Once the installation is completed, the Ransomware defender application window will open. Here you have 3 options for scan: Quick, Deep, and Custom. We suggest doing Deep scanning for the first time for better detection of ransomware threats.
    Ransomware Defender Scan
    Ransomware Defender Scan
  2. Let the scanning process be completed: Scan will take a few minutes so be patient and let the scan be fully completed.
    Ransomware Defender Scan In Progress
    Ransomware Defender Scan In Progress
  3. Review the Scan Results and remove the threats: Review the scan results that will show all the threats and malware found during the scan process, you can manually choose to remove the threats one-by-one by clicking on the threat name and select “delete” or simply click on the “Clean All” button.
    Ransomware Defender Remove Threats
    Ransomware Defender Remove Threats


Windows OS: Manually Find And Remove LIGMA.exe (Recommended Only For Advanced Users)

The manual steps guided below are the links separately made with caution, to avoid any confusion to our readers. Please follow the links below and perform them one by one. If you are going for the manual removal process, then we recommend you to print/download these instructions or open it from another uninfected computer or laptop and follow step-by-step manual removal instruction. Windows OS PDF Guide.

Method 1: Remove Ransomware and its associated files from the computer through safe mode with command prompt.

  1. Reboot your computer to “Safe Mode with Command Prompt”
  2. End malicious process from “Task Manager”
  3. Deleting “Registry Entries” created by the Ransomware threat
  4. Deep Scan the infected computer to ensure complete removal (Recommended)

Click here to perform the step-by-step manual removal procedure.

Method 2: Remove Ransomware virus using System Restore Procedure

After that, the ransomware threat should go, but if it is still there, then you need to try another method which is the “System Restore”. Click here to perform System Restore in Windows OS.

How to Restore the Encrypted Files?

Click here to know How you can restore the encrypted file.

Special Offer
“LIGMA.exe” may reinstall itself multiple times if you don’t delete its core files. We recommend downloading Ransomware Defender to scan for malicious programs. This may save your precious time and effort.

About the author

UnboxHow Team

If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with us directly on Google Plus, Facebook or Twitter. We would love to hear your thoughts and opinions on our articles directly.

Add Comment

Click here to post a comment