LIGMA.exe is a malicious file associated with LIGMA ransomware.

Threat Description:

LIGMA.exe is an executable file related to initiate the malicious process of LIGMA ransomware on the infected computer or device. LIGMA is a file-encrypting malware that was first detected on 8th September 2018 that generally spread through spam mail attachments.

This crypto-malware uses AES-256 encryption algorithm to encode the files and lock them with “.ForgiveMe” file extension. For example, ‘blackcat.jpeg’ is renamed to ‘blackcat.jpeg.ForgiveME.’

LIGMA ransomware is considered as most damaging as it gives no option of paying the ransom to get back the files. It more acts like a wiper which attacks the MBR sector of the attacked system and any of its attached memory disks. This makes nearly impossible for the victims to enter into the windows boot screen.

LIGMA.exe Distribution methods:

Like other Ransomware threats, LIGMA.exe too mostly spreading through spam mail attachments that may contains macros, malicious links or auto-activation codes. These mails appear to be very sophisticated as they may entitled as any invoice, job application, fax or so on.

Once the user open the links or download the attachment then the payloads of the virus gets downloaded to the computer system. And silently initiates it activities from background. Besides this, there are many other sources through which ransomware-laden malware program can attack your computer or device. To known more about them in details read What is Ransomware and how it works?

More About LIGMA.exe

LIGMA ransomware is reported to mainly attack windows 7 PCs. Once this ransomware hit on any PC, it drops several files within the C:WinWOW32 to execute its malicious tasks:

  • LIGMA.exe,
  • Payloads.dll,
  • work.bat,
  • Mbr.bin.

ligma-exeLIGMA.exe is one of the files that initiates the process of encryption by scanning important documents, videos, photos, PDFs and so on. It leaves no any hope for the victims to decode the files and hence it is also known as ransomware-wiper virus. After the encryption process been done, it changes the desktop background to a black screen that has the note written in green color. The note appears to be too scary as it does not have any demand of ransom like other typical ransomware.

The note reads as :

This PC is dead because you did n't follow the rules.
Your PC will never work again.

NOTE: Even if you fix the MBR your Your PC Is Dead.
Entire Registry is Fucked and your files are infected."

Along with encrypting data, ligma.exe virus also causes other serious damages to the attacked computer like

  • Modifying registry entries and adding startup process to automatically start the program once the user turn on its system;
  • Scans the whole computer system to collect device related information;
  • After the encryption been done, it also helps in deleting the shadow volume copies of the encrypted files.

The motive of LIGMA ransomware is just to completely wipe clean your device rather than just demanding ransom from victims.

What to do when infected with LIGMA.exe Ransomware?

Many security experts have analysed the samples of LIGMA ransomware and is detected by some renowned anti-malware programs like Ransomware Defender. This crypto-malware is also detected by various Trojan variants:

  • Gen:Heur.MSIL.Krypt.4
  • HEUR/QVM03.0.8321.Malware.Gen
  • Msil.Trojan.Diztakun.Dzjg
  • RDN/Generic.dx
  • TR/Kryptik.fszrq
  • Trojan ( 0053b2df1 )
  • Trojan ( 0053c1991 )
  • Trojan.Agent!8.B1E (CLOUD)
  • Trojan.Generic.bnniw
  • W32/Trojan.KIWF-3406
  • Win32/Trojan.57b
  • malicious_confidence_90% (D)
  • malware (ai score=88)

LIGMA ransomware leaves no way to decrypt the files and also deletes the Shadow volume copies of the encrypted files.

Unfortunately, the data altered by the LIGMA Ransomware can’t be restored. If the threat manages to encipher the MBR record, rebooting Windows will not lead to anything good. The System Recovery disks can’t help you return the system to normal.

The better way to deal with LIGMA crypto-malware is to remove it using anti-malware tool and them attempt recovery of encrypted data. As till the infection is present on the system, it will not let you perform any recovery. And even it will keep on encrypting any new files or data inserted through USB drives. To avoid this, experts recommend not to use the infected system as it can lead to more damage.

How To Remove LIGMA.exe Ransomware virus Without Paying Ransom

In this guide, you will find removal instruction of LIGMA Ransomware virus both manually and using anti-malware tool. At times, virus does not allow the installation or scanning of anti-virus program, so you need to switch to “safe mode with networking”. After that you can try recovery of your data if you have any backup or we have listed some methods which may help you to recover some of your data.

Use HitmanPro.Alert To Remove LIGMA Ransomware(Recommended)”


HitmanPro.Alert is an advanced anti-malware program that takes on proactive approach towards threat behavior and its activities. Running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity and alerts or any suspicious activity. So that you can have a safe browsing and online transactions. Read the full review of HitmanPro.Alert here.

Steps To Install And Run HitmanPro.Alert

  • Click on the provided link to download HitmanPro.Alert anti-malware;
    HitManPro.Alert Step1

    HitManPro.Alert Step1

  • Now, open the download folder to locate “hmpalert3”;
    HitmanPro.Alert Step 2

    HitmanPro.Alert Step 2

  • Click on it, to begin the installation;
  • It will ask your User Account control, if prompted click on “yes”; The download should begin shortly. HitmanPro.Alert window will appear, where you need to choose the options:
HitManPro.Alert Step3

HitManPro.Alert Step3

  • Choose Protection level as Maximum
    And tick the other boxes and finally click on “Install”.
    HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
HitManPro.Alert Step4

HitManPro.Alert Step4

  • After the installation is complete, the scan will start. First scan may take up some minutes, as it will scan the whole computer.
    HitmanPro.Alert step 4

    HitmanPro.Alert step 4

  • The scan results are here. Carefully look down the list. You can here, the scan has found 1 Riskware and thousands of traces which can be risky.
    HitmanPro.Alert step 5

    HitmanPro.Alert step 5

  • You can select the threat to delete, quarantine, ignore or, mark as safe. If you want to remove all the threats, then simply click on the “Next” button below.
    HitmanPro.Alert step 6

    HitmanPro.Alert step 6

  • HitmanPro.Alert first creates a restore point and then starts the removal process. This helps to recover from any damage.
    HitmanPro.Alert step 7

    HitmanPro.Alert step 7

So, by performing the above steps, you can get rid of LIGMA Ransomware.

Manually Find And Remove LIGMA (Recommended Only For Advanced Users)

The manual steps guided below are the links separately made with caution, to avoid any confusion to our readers. Please follow the links below and perform them one by one. If you are going for the manual removal process, then we recommend you to print/download these instructions. Else open it from another uninfected computer or laptop and follow step-by-step manual removal instruction. Windows OS PDF Guide.

Method 1: Remove LIGMA Ransomware and its associated files from the computer through safe mode with command prompt.

  1. Reboot your computer toSafe Mode with Command Prompt”
  2. End malicious process from “Task Manager
    1. Disable Auto-Startup Apps
    2. Remove Unwanted Programs From Scheduled Tasks
    3. Delete Temp Data and Prefetch
    4. Deleting “Registry Entries created by the Ransomware threat
  3. Deep Scan the infected computer to ensure complete removal (Recommended)

Click here to perform the step-by-step manual removal procedure.

Method 2: Remove LIGMA Ransomware virus using System Restore Procedure

After that, the ransomware threat should go, but if it is still there. Then you need to try another method which is the “System Restore”. Click here to perform System Restore in Windows OS.

How to Restore the Encrypted Files?

Here is a separate article that guides users of various methods to recover their encrypted files. However, the ransomware makes sure the files may not be unlocked by other tools, but you should try them out.

Click here to know How you can restore the encrypted file.

More From Unboxhow